Fix asteris emphasis regex CVE-2022-34749

lepture · lepture · commit a6d43215132f · 2022-07-02T00:10:44.000+09:00
diff --git a/mistune/inline_parser.py b/mistune/inline_parser.py
@@ -64,8 +64,8 @@ class InlineParser(ScannerParser):
     #:    _emphasis_  __strong__
     ASTERISK_EMPHASIS = (
         r'(\*{1,2})(?=[^\s*])('
-        r'(?:\\[\\*]|[^*])*'
-        r'(?:' + ESCAPE_TEXT + r'|[^\s*]))\1'
+        r'(?:(?:(?<!\\)(?:\\\\)*\*)|[^*])+'
+        r')(?<!\\)\1'
     )
     UNDERSCORE_EMPHASIS = (
         r'\b(_{1,2})(?=[^\s_])([\s\S]*?'
diff --git a/tests/fixtures/non-commonmark.txt b/tests/fixtures/non-commonmark.txt
@@ -12,12 +12,6 @@
 <p>[link [foo [bar]]](/uri)</p>
 ````````````````````````````````
 
-```````````````````````````````` example
-[link *foo **bar** `#`*](/uri)
-.
-<p><a href="/uri">link *foo <strong>bar</strong> <code>#</code>*</a></p>
-````````````````````````````````
-
 ```````````````````````````````` example
 [foo [bar](/uri)](/uri)
 .
@@ -48,14 +42,6 @@
 <p><a href="uri">foo&lt;http://example.com/?search=</a>&gt;</p>
 ````````````````````````````````
 
-```````````````````````````````` example
-[link *foo **bar** `#`*][ref]
-
-[ref]: /uri
-.
-<p><a href="/uri">link *foo <strong>bar</strong> <code>#</code>*</a></p>
-````````````````````````````````
-
 ```````````````````````````````` example
 [foo [bar](/uri)][ref]
 
