@cj-tech-master/excelts 9.5.5 → 9.5.6

package/dist/esm/modules/word/security/digital-signatures.js

@@ -46,52 +46,179 @@ export function parseSignatureXml(xmlStr, fileName) {
         fileName,
         cryptographicStatus: "not-verified"
     };
-    // Extract Office-specific metadata from <SignatureInfoV1>
-    const sigTextMatch = /<SignatureText[^>]*>([^<]*)<\/SignatureText>/.exec(xmlStr);
-    if (sigTextMatch) {
-        info.signer = xmlDecode(sigTextMatch[1]);
+    // Each `<TagName ...>...</TagName>` lookup used to be a regex of the
+    // form `/<Tag[^>]*>([^<]*)<\/Tag>/.exec(xmlStr)`. Although `[^>]*` and
+    // `[^<]*` are linear in isolation, running ten such regexes against
+    // attacker-controlled signature XML triggers CodeQL's
+    // `js/polynomial-redos` rule. `extractTextElement` performs the same
+    // job in a single linear scan and cannot exhibit super-linear runtime.
+    const signer = extractTextElement(xmlStr, "SignatureText");
+    if (signer !== undefined) {
+        info.signer = xmlDecode(signer);
     }
-    const sigCommentsMatch = /<SignatureComments[^>]*>([^<]*)<\/SignatureComments>/.exec(xmlStr);
-    if (sigCommentsMatch) {
-        info.signatureComments = xmlDecode(sigCommentsMatch[1]);
+    const sigComments = extractTextElement(xmlStr, "SignatureComments");
+    if (sigComments !== undefined) {
+        info.signatureComments = xmlDecode(sigComments);
     }
-    const purposeMatch = /<SignaturePurpose[^>]*>([^<]*)<\/SignaturePurpose>/.exec(xmlStr);
-    if (purposeMatch) {
-        info.purpose = xmlDecode(purposeMatch[1]);
+    const purpose = extractTextElement(xmlStr, "SignaturePurpose");
+    if (purpose !== undefined) {
+        info.purpose = xmlDecode(purpose);
     }
-    const dateMatch = /<SignatureDate[^>]*>([^<]*)<\/SignatureDate>/.exec(xmlStr);
-    if (dateMatch) {
-        info.signDate = xmlDecode(dateMatch[1]);
+    const signDate = extractTextElement(xmlStr, "SignatureDate");
+    if (signDate !== undefined) {
+        info.signDate = xmlDecode(signDate);
     }
-    const providerMatch = /<SignatureProviderUrl[^>]*>([^<]*)<\/SignatureProviderUrl>/.exec(xmlStr);
-    if (providerMatch) {
-        info.providerUrl = xmlDecode(providerMatch[1]);
+    const providerUrl = extractTextElement(xmlStr, "SignatureProviderUrl");
+    if (providerUrl !== undefined) {
+        info.providerUrl = xmlDecode(providerUrl);
     }
-    // Commitment type
-    const commitMatch = /<CommitmentType[^>]*>\s*<CommitmentTypeIndication[^>]*>\s*<CommitmentTypeId>([^<]*)<\/CommitmentTypeId>/.exec(xmlStr);
-    if (commitMatch) {
-        info.commitmentType = xmlDecode(commitMatch[1]);
+    // Commitment type — nested element. Read the full `<CommitmentType>`
+    // body (which contains nested elements, hence `allowAngleBrackets`)
+    // then look for `<CommitmentTypeId>` inside.
+    const commitmentBlock = extractTextElement(xmlStr, "CommitmentType", {
+        allowAngleBrackets: true
+    });
+    if (commitmentBlock !== undefined) {
+        const commitmentId = extractTextElement(commitmentBlock, "CommitmentTypeId");
+        if (commitmentId !== undefined) {
+            info.commitmentType = xmlDecode(commitmentId);
+        }
     }
-    // Extract signature value (base64)
-    const sigValMatch = /<SignatureValue[^>]*>([^]*?)<\/SignatureValue>/.exec(xmlStr);
-    if (sigValMatch) {
-        info.signatureValue = sigValMatch[1].trim();
+    // Signature value (base64 — may legitimately span newlines, so don't strip).
+    const signatureValue = extractTextElement(xmlStr, "SignatureValue", { allowAngleBrackets: true });
+    if (signatureValue !== undefined) {
+        info.signatureValue = signatureValue.trim();
     }
     // Certificate details from <X509Data>
-    const certSubjectMatch = /<X509SubjectName[^>]*>([^<]*)<\/X509SubjectName>/.exec(xmlStr);
-    if (certSubjectMatch) {
-        info.certificateSubject = xmlDecode(certSubjectMatch[1]);
+    const certSubject = extractTextElement(xmlStr, "X509SubjectName");
+    if (certSubject !== undefined) {
+        info.certificateSubject = xmlDecode(certSubject);
     }
-    const certIssuerMatch = /<X509IssuerName[^>]*>([^<]*)<\/X509IssuerName>/.exec(xmlStr);
-    if (certIssuerMatch) {
-        info.certificateIssuer = xmlDecode(certIssuerMatch[1]);
+    const certIssuer = extractTextElement(xmlStr, "X509IssuerName");
+    if (certIssuer !== undefined) {
+        info.certificateIssuer = xmlDecode(certIssuer);
     }
-    const certSerialMatch = /<X509SerialNumber[^>]*>([^<]*)<\/X509SerialNumber>/.exec(xmlStr);
-    if (certSerialMatch) {
-        info.certificateSerialNumber = xmlDecode(certSerialMatch[1]);
+    const certSerial = extractTextElement(xmlStr, "X509SerialNumber");
+    if (certSerial !== undefined) {
+        info.certificateSerialNumber = xmlDecode(certSerial);
     }
     return info;
 }
+/**
+ * Find the first occurrence of `<tagName ...>...</tagName>` in `xml` and
+ * return the inner text (verbatim — the caller is responsible for entity
+ * decoding via `xmlDecode`).
+ *
+ * Implemented as a linear index scan rather than a regex match. The previous
+ * regex-based implementation tripped CodeQL's polynomial-regex detector
+ * because the input is attacker-controlled signature XML.
+ *
+ * @param xml - The XML text to search.
+ * @param tagName - Local element name (no namespace prefix). The match
+ *   ignores any namespace prefix actually present in the document.
+ * @param options.allowAngleBrackets - When true, the inner text is read up
+ *   to the literal `</tagName>` close tag rather than the next `<`. This
+ *   is appropriate for elements like `SignatureValue` where the body is
+ *   base64 and cannot legitimately contain `<` anyway, but lets the function
+ *   tolerate accidental whitespace/newlines that some signers insert.
+ */
+function extractTextElement(xml, tagName, options = {}) {
+    const n = xml.length;
+    let from = 0;
+    while (from < n) {
+        const lt = xml.indexOf("<", from);
+        if (lt < 0) {
+            return undefined;
+        }
+        // Skip an optional namespace prefix: <ns:Tag ...>.
+        let nameStart = lt + 1;
+        // Look ahead for either the bare tag name or `prefix:tagName`. We do
+        // a forward scan rather than an unbounded regex match.
+        const colon = xml.indexOf(":", nameStart);
+        const ws = findTagNameEnd(xml, nameStart);
+        if (colon > 0 && colon < ws) {
+            nameStart = colon + 1;
+        }
+        if (xml.slice(nameStart, nameStart + tagName.length) !== tagName ||
+            !isTagNameBoundary(xml.charCodeAt(nameStart + tagName.length))) {
+            from = lt + 1;
+            continue;
+        }
+        // Found `<…tagName`. Find the closing `>` of the open tag.
+        const openEnd = xml.indexOf(">", nameStart + tagName.length);
+        if (openEnd < 0) {
+            return undefined;
+        }
+        // Self-closing? Then the element has no text content.
+        if (xml.charCodeAt(openEnd - 1) === 0x2f /* '/' */) {
+            return "";
+        }
+        const bodyStart = openEnd + 1;
+        if (options.allowAngleBrackets) {
+            // Search for the matching close tag (allowing namespace prefix).
+            const closeIdx = findCloseTag(xml, bodyStart, tagName);
+            if (closeIdx < 0) {
+                return undefined;
+            }
+            return xml.slice(bodyStart, closeIdx);
+        }
+        // Default behaviour: text content has no `<`. Stop at the next `<`.
+        const lt2 = xml.indexOf("<", bodyStart);
+        if (lt2 < 0) {
+            return undefined;
+        }
+        return xml.slice(bodyStart, lt2);
+    }
+    return undefined;
+}
+function findTagNameEnd(xml, start) {
+    const n = xml.length;
+    let i = start;
+    while (i < n) {
+        const c = xml.charCodeAt(i);
+        if (c === 0x20 || c === 0x09 || c === 0x0a || c === 0x0d || c === 0x2f || c === 0x3e) {
+            return i;
+        }
+        i++;
+    }
+    return n;
+}
+function isTagNameBoundary(c) {
+    return (c === 0x20 || // space
+        c === 0x09 || // tab
+        c === 0x0a || // LF
+        c === 0x0d || // CR
+        c === 0x2f || // '/'
+        c === 0x3e // '>'
+    );
+}
+function findCloseTag(xml, from, tagName) {
+    const n = xml.length;
+    let i = from;
+    while (i < n) {
+        const lt = xml.indexOf("</", i);
+        if (lt < 0) {
+            return -1;
+        }
+        let p = lt + 2;
+        // Optional namespace prefix
+        const colon = xml.indexOf(":", p);
+        const gt = xml.indexOf(">", p);
+        if (gt < 0) {
+            return -1;
+        }
+        if (colon > 0 && colon < gt) {
+            p = colon + 1;
+        }
+        if (xml.slice(p, p + tagName.length) === tagName &&
+            // Allow trailing whitespace before '>' but require a boundary char.
+            isTagNameBoundary(xml.charCodeAt(p + tagName.length))) {
+            return lt;
+        }
+        i = lt + 2;
+    }
+    return -1;
+}
 /**
  * Extract all digital signatures from opaque parts of a document.
  *

package/dist/esm/modules/word/security/encryption.js

@@ -324,13 +324,17 @@ function bytesEqual(a, b) {
  * @returns Parsed agile encryption info.
  */
 export function parseEncryptionInfoXml(xmlStr) {
-    // Simple regex-based extraction for the key <keyEncryptors><keyEncryptor>... element
-    const keyDataMatch = /<keyData\s([\s\S]*?)\/>/.exec(xmlStr);
-    const pwdEncryptorMatch = /<p:encryptedKey\s([\s\S]*?)\/>/.exec(xmlStr);
-    if (!keyDataMatch || !pwdEncryptorMatch) {
+    // Locate the `<keyData ... />` and `<p:encryptedKey ... />` elements
+    // with a linear scan. Using regular expressions with lazy `[\s\S]*?`
+    // quantifiers triggers CodeQL's polynomial-regex warning because the
+    // input is attacker-controlled (a hostile EncryptionInfo XML stream
+    // with very long unterminated tags caused catastrophic backtracking).
+    const keyDataAttrs = extractSelfClosingTagAttrs(xmlStr, "keyData");
+    const pwdAttrs = extractSelfClosingTagAttrs(xmlStr, "p:encryptedKey");
+    if (!keyDataAttrs || !pwdAttrs) {
         throw new DocxDecryptionError("Invalid EncryptionInfo XML - missing keyData or encryptedKey");
     }
-    const pwdData = parseAttrs(pwdEncryptorMatch[1]);
+    const pwdData = pwdAttrs;
     // Required cryptographic fields — empty/missing values cannot decrypt and
     // produce confusing CryptoOperation errors downstream. Fail fast with a
     // clear message instead.
@@ -393,12 +397,108 @@ export function parseEncryptionInfoXml(xmlStr) {
         blockSize
     };
 }
+/**
+ * Find a `<tagName ... />` element and return its parsed attributes, or
+ * `null` if no such self-closing element exists.
+ *
+ * Uses a linear scan instead of a regex with `[\s\S]*?` to avoid
+ * catastrophic backtracking on adversarial EncryptionInfo XML.
+ */
+function extractSelfClosingTagAttrs(xml, tagName) {
+    const needle = `<${tagName}`;
+    let from = 0;
+    while (from <= xml.length) {
+        const start = xml.indexOf(needle, from);
+        if (start < 0) {
+            return null;
+        }
+        const after = start + needle.length;
+        const ch = xml.charCodeAt(after);
+        // Require a whitespace, '/' or '>' after the tag name so `<keyDataExtra`
+        // does not match `<keyData`.
+        if (ch !== 0x20 && ch !== 0x09 && ch !== 0x0a && ch !== 0x0d && ch !== 0x2f && ch !== 0x3e) {
+            from = after;
+            continue;
+        }
+        // Find the closing '>' from `start`. Bail out if there isn't one.
+        const close = xml.indexOf(">", after);
+        if (close < 0) {
+            return null;
+        }
+        // The element must be self-closing: the char before '>' is '/'.
+        if (xml.charCodeAt(close - 1) !== 0x2f) {
+            from = close + 1;
+            continue;
+        }
+        const inner = xml.slice(after, close - 1);
+        return parseAttrs(inner);
+    }
+    return null;
+}
+/**
+ * Parse XML-style attributes (`name="value"`) from a fragment. Implemented
+ * as a single linear scan rather than a global regex so attacker-controlled
+ * input cannot trigger polynomial-time backtracking (CodeQL js/polynomial-redos).
+ */
 function parseAttrs(str) {
     const attrs = {};
-    const re = /(\w+)="([^"]*)"/g;
-    let match;
-    while ((match = re.exec(str)) !== null) {
-        attrs[match[1]] = match[2];
+    const n = str.length;
+    let i = 0;
+    while (i < n) {
+        // Skip whitespace.
+        while (i < n) {
+            const c = str.charCodeAt(i);
+            if (c !== 0x20 && c !== 0x09 && c !== 0x0a && c !== 0x0d) {
+                break;
+            }
+            i++;
+        }
+        if (i >= n) {
+            break;
+        }
+        // Read attribute name (\w+ equivalent: [A-Za-z0-9_]+).
+        const nameStart = i;
+        while (i < n) {
+            const c = str.charCodeAt(i);
+            const isWord = (c >= 0x30 && c <= 0x39) || // 0-9
+                (c >= 0x41 && c <= 0x5a) || // A-Z
+                (c >= 0x61 && c <= 0x7a) || // a-z
+                c === 0x5f; // _
+            if (!isWord) {
+                break;
+            }
+            i++;
+        }
+        if (i === nameStart) {
+            // Not at an attribute — advance one char so we make progress.
+            i++;
+            continue;
+        }
+        const name = str.slice(nameStart, i);
+        // Expect `="` exactly. Anything else means we resync to the next
+        // whitespace and try again — robust to malformed input.
+        if (i + 1 >= n || str.charCodeAt(i) !== 0x3d || str.charCodeAt(i + 1) !== 0x22) {
+            // Skip to next whitespace.
+            while (i < n) {
+                const c = str.charCodeAt(i);
+                if (c === 0x20 || c === 0x09 || c === 0x0a || c === 0x0d) {
+                    break;
+                }
+                i++;
+            }
+            continue;
+        }
+        i += 2; // past `="`
+        // Read until next `"`.
+        const valStart = i;
+        const valEnd = str.indexOf('"', i);
+        if (valEnd < 0) {
+            // Unterminated value — store what we have and stop.
+            attrs[name] = str.slice(valStart);
+            break;
+        }
+        attrs[name] = str.slice(valStart, valEnd);
+        i = valEnd + 1;
     }
     return attrs;
 }

package/dist/iife/excelts.iife.js

@@ -1,5 +1,5 @@
 /*!
-* @cj-tech-master/excelts v9.5.5
+* @cj-tech-master/excelts v9.5.6
 * Zero-dependency TypeScript toolkit — Excel (XLSX), PDF, CSV, Markdown, XML, ZIP/TAR, and streaming.
 * (c) 2026 cjnoname
 * Released under the MIT License
@@ -41659,6 +41659,19 @@ self.onmessage = async function(event) {
 				return Object.values(this._merges).some(Boolean);
 			}
 			/**
+			* Read-only enumeration of every merged region on this sheet
+			* (1-based, inclusive). Consumed by the formula engine's snapshot
+			* builder to detect `#SPILL!` conflicts. See issue #162 follow-up.
+			*/
+			get mergedRegions() {
+				return Object.values(this._merges).map((merge) => ({
+					top: merge.top,
+					left: merge.left,
+					bottom: merge.bottom,
+					right: merge.right
+				}));
+			}
+			/**
 			* Scan the range and if any cell is part of a merge, un-merge the group.
 			* Note this function can affect multiple merges and merge-blocks are
 			* atomic - either they're all merged or all un-merged.
@@ -87052,52 +87065,53 @@ self.onmessage = async function(event) {
 		return dirs;
 	}
 	/**
-	* Return all discoverable system font candidates, ordered by preference.
+	* Lazily yield discoverable system font candidates, in preference order.
 	*
 	* Each entry is the raw font file bytes of a `.ttf` or `.ttc` file.
 	* The caller decides which candidate to use (e.g. by checking cmap coverage).
 	*
-	* Results are cached — the filesystem scan runs only once per process.
+	* Iterating one candidate at a time lets callers `break` as soon as
+	* they find a match, avoiding the cost of recursively reading every
+	* font in every system font directory just to discard them.
 	*/
-	function discoverSystemFontCandidates() {
-		if (_cachedCandidates !== void 0) return _cachedCandidates;
-		if (typeof process === "undefined" || !process.platform) {
-			_cachedCandidates = [];
-			return _cachedCandidates;
+	function* iterateSystemFontCandidates() {
+		if (_cachedCandidates !== void 0) {
+			for (const c of _cachedCandidates) yield c;
+			return;
 		}
-		const candidates = [];
+		if (typeof process === "undefined" || !process.platform) return;
 		const seen = /* @__PURE__ */ new Set();
 		const dirs = getSystemFontDirs();
 		for (const fontName of PREFERRED_FONTS) for (const dir of dirs) {
 			const fontPath = `${dir}/${fontName}`;
 			if (seen.has(fontPath)) continue;
+			seen.add(fontPath);
 			if (fileExistsSync(fontPath)) {
 				const data = tryReadFont(fontPath);
-				if (data) {
-					candidates.push(data);
-					seen.add(fontPath);
-				}
+				if (data) yield data;
 			}
 		}
 		const broadRe = /noto|unicode|cjk|yahei|heiti|gothic|sans|serif|ming|song|dejavu|liberation|droid|wqy/i;
-		for (const dir of dirs) try {
-			const fonts = traverseDirectorySync(dir, {
-				recursive: true,
-				filter: (e) => !e.isDirectory
-			}).filter((e) => /\.tt[cf]$/i.test(e.absolutePath) && !seen.has(e.absolutePath));
+		for (const dir of dirs) {
+			let entries;
+			try {
+				entries = traverseDirectorySync(dir, {
+					recursive: true,
+					filter: (e) => !e.isDirectory
+				});
+			} catch {
+				continue;
+			}
+			const fonts = entries.filter((e) => /\.tt[cf]$/i.test(e.absolutePath) && !seen.has(e.absolutePath));
 			const broad = fonts.filter((e) => broadRe.test(e.absolutePath));
 			const rest = fonts.filter((e) => !broadRe.test(e.absolutePath) && e.size > 5e4);
 			for (const entry of [...broad, ...rest]) {
 				if (seen.has(entry.absolutePath)) continue;
+				seen.add(entry.absolutePath);
 				const data = tryReadFont(entry.absolutePath);
-				if (data) {
-					candidates.push(data);
-					seen.add(entry.absolutePath);
-				}
+				if (data) yield data;
 			}
-		} catch {}
-		_cachedCandidates = candidates;
-		return candidates;
+		}
 	}
 	function tryReadFont(fontPath) {
 		try {
@@ -90198,7 +90212,7 @@ self.onmessage = async function(event) {
 		let fontData = options?.font ?? null;
 		if (!fontData) {
 			const nonWinAnsi = collectNonWinAnsiCodePoints(sheets);
-			if (nonWinAnsi.size > 0) for (const candidate of discoverSystemFontCandidates()) try {
+			if (nonWinAnsi.size > 0) for (const candidate of iterateSystemFontCandidates()) try {
 				const testTtf = parseTtf(candidate);
 				if ([...nonWinAnsi].every((cp) => testTtf.cmap.has(cp))) {
 					fontData = candidate;