Parsing [\\\\\\… takes exponential time

[andersk]

new commonmark.Parser().parse("[" + "\\".repeat(n)) runs in exponential time:

[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 1.2 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 1.8 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 2.9 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 4.7 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 7.5 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 12.5 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 20.2 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 32.8 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 52.7 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 83.9 seconds
[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ → 137.8 seconds

This could be a denial of service vulnerability in an application that parses user input.

[andersk]

There are also quadratic time cases, like new commonmark.Parser().parse("[](".repeat(30000)). (Would you like separate bug reports for these?) Edit: This quadratic one was reported in #129.

[jgm]

Thanks for reporting. cmark (the C reference implementation) does not seem to have exponential behavior with this. That's interesting because the parsing strategies used are very similar.

[jgm]

There are also quadratic time cases, like `new commonmark.Parser().parse("[](".repeat(30000))`. (Would you like separate bug reports for these?)

I think a separate issue would be appropriate, thanks. As with the other issue, I don't see quadratic behavior with cmark, only with commonmark.js.

[jgm]

The second case probably has to do with parseLinkDestination (though I don't see anything there that would explain quadratic behavior).