@cj-tech-master/excelts 9.5.5 → 9.5.6

package/dist/cjs/modules/pdf/font/system-fonts.js

@@ -12,9 +12,15 @@
  * .ttc (TrueType Collection) files are supported — parseTtf() extracts
  * the first font from the collection automatically.
  *
- * Results are cached: the filesystem search runs only once per process.
+ * Discovery is exposed both as a generator
+ * ({@link iterateSystemFontCandidates}) for early-exit callers and as
+ * an array snapshot ({@link discoverSystemFontCandidates}) for tests
+ * and full enumeration. Once the full snapshot has been produced it is
+ * cached and replayed on subsequent calls; partial iterations rely on
+ * the OS page cache to make repeat reads of the same font files cheap.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.iterateSystemFontCandidates = iterateSystemFontCandidates;
 exports.discoverSystemFontCandidates = discoverSystemFontCandidates;
 exports.discoverSystemFont = discoverSystemFont;
 exports.resetFontDiscoveryCache = resetFontDiscoveryCache;
@@ -94,75 +100,114 @@ const PREFERRED_FONTS = [
 // =============================================================================
 // Font Discovery
 // =============================================================================
+// Cached, fully-populated candidate list. Set when the generator runs
+// to completion via `discoverSystemFontCandidates()`, or when a test
+// injects candidates via `_setCandidatesForTest`. Partial iterations
+// (where the caller `break`s after a match) intentionally do not
+// populate this cache — they rely on the OS page cache to keep repeat
+// reads cheap.
 let _cachedCandidates;
 /**
- * Return all discoverable system font candidates, ordered by preference.
+ * Lazily yield discoverable system font candidates, in preference order.
  *
  * Each entry is the raw font file bytes of a `.ttf` or `.ttc` file.
  * The caller decides which candidate to use (e.g. by checking cmap coverage).
  *
- * Results are cached — the filesystem scan runs only once per process.
+ * Iterating one candidate at a time lets callers `break` as soon as
+ * they find a match, avoiding the cost of recursively reading every
+ * font in every system font directory just to discard them.
  */
-function discoverSystemFontCandidates() {
+function* iterateSystemFontCandidates() {
+    // Fast path: a previous call already produced the full snapshot.
     if (_cachedCandidates !== undefined) {
-        return _cachedCandidates;
+        for (const c of _cachedCandidates) {
+            yield c;
+        }
+        return;
     }
     if (typeof process === "undefined" || !process.platform) {
-        _cachedCandidates = [];
-        return _cachedCandidates;
+        return;
     }
-    const candidates = [];
-    const seen = new Set(); // dedupe by path
+    const seen = new Set(); // dedupe by path within this iteration
     const dirs = getSystemFontDirs();
-    // Strategy 1: Check preferred font filenames (in order)
+    // Strategy 1: Check preferred font filenames (in order). These stat
+    // calls are cheap and run regardless — they are the only path most
+    // callers need to traverse.
     for (const fontName of PREFERRED_FONTS) {
         for (const dir of dirs) {
             const fontPath = `${dir}/${fontName}`;
             if (seen.has(fontPath)) {
                 continue;
             }
+            seen.add(fontPath);
             if ((0, fs_1.fileExistsSync)(fontPath)) {
                 const data = tryReadFont(fontPath);
                 if (data) {
-                    candidates.push(data);
-                    seen.add(fontPath);
+                    yield data;
                 }
             }
         }
     }
-    // Strategy 2: Scan directories for any .ttf/.ttc not already found
+    // Strategy 2: Recursively scan each directory for any other .ttf/.ttc.
+    // This is the expensive step (hundreds of MB on macOS / Windows), so
+    // it walks one directory at a time and yields candidates as it goes —
+    // a caller that found a match in Strategy 1 (or in an earlier
+    // directory here) never reaches further directories.
     const broadRe = /noto|unicode|cjk|yahei|heiti|gothic|sans|serif|ming|song|dejavu|liberation|droid|wqy/i;
     for (const dir of dirs) {
+        let entries;
         try {
-            const entries = (0, fs_1.traverseDirectorySync)(dir, { recursive: true, filter: e => !e.isDirectory });
-            const fonts = entries.filter(e => /\.tt[cf]$/i.test(e.absolutePath) && !seen.has(e.absolutePath));
-            // Broad-coverage names first, then large files
-            const broad = fonts.filter(e => broadRe.test(e.absolutePath));
-            const rest = fonts.filter(e => !broadRe.test(e.absolutePath) && e.size > 50000);
-            for (const entry of [...broad, ...rest]) {
-                if (seen.has(entry.absolutePath)) {
-                    continue;
-                }
-                const data = tryReadFont(entry.absolutePath);
-                if (data) {
-                    candidates.push(data);
-                    seen.add(entry.absolutePath);
-                }
-            }
+            entries = (0, fs_1.traverseDirectorySync)(dir, { recursive: true, filter: e => !e.isDirectory });
         }
         catch {
             // Directory doesn't exist or not readable
+            continue;
+        }
+        const fonts = entries.filter(e => /\.tt[cf]$/i.test(e.absolutePath) && !seen.has(e.absolutePath));
+        // Broad-coverage names first, then large files
+        const broad = fonts.filter(e => broadRe.test(e.absolutePath));
+        const rest = fonts.filter(e => !broadRe.test(e.absolutePath) && e.size > 50000);
+        for (const entry of [...broad, ...rest]) {
+            if (seen.has(entry.absolutePath)) {
+                continue;
+            }
+            seen.add(entry.absolutePath);
+            const data = tryReadFont(entry.absolutePath);
+            if (data) {
+                yield data;
+            }
         }
     }
-    _cachedCandidates = candidates;
-    return candidates;
+}
+/**
+ * Return all discoverable system font candidates, ordered by preference.
+ *
+ * Each entry is the raw font file bytes of a `.ttf` or `.ttc` file.
+ * The caller decides which candidate to use (e.g. by checking cmap coverage).
+ *
+ * The full snapshot is cached: once produced, repeated calls return the
+ * same array without touching the filesystem.
+ *
+ * Prefer {@link iterateSystemFontCandidates} when you only need the
+ * first candidate that satisfies a predicate: it avoids reading every
+ * font in every system directory just to discard them.
+ */
+function discoverSystemFontCandidates() {
+    if (_cachedCandidates !== undefined) {
+        return _cachedCandidates;
+    }
+    const all = [];
+    for (const candidate of iterateSystemFontCandidates()) {
+        all.push(candidate);
+    }
+    _cachedCandidates = all;
+    return all;
 }
 /**
  * Search for a system font suitable for Unicode rendering.
  *
  * Returns the raw font file bytes of the highest-priority candidate,
- * or `null` if no font was found. This is a convenience wrapper around
- * {@link discoverSystemFontCandidates}.
+ * or `null` if no font was found.
  */
 function discoverSystemFont() {
     const candidates = discoverSystemFontCandidates();

package/dist/cjs/modules/pdf/render/pdf-exporter.js

@@ -61,8 +61,11 @@ function prepareExport(workbook, options) {
         // Collect non-WinAnsi code points from the document (single pass)
         const nonWinAnsi = collectNonWinAnsiCodePoints(sheets);
         if (nonWinAnsi.size > 0) {
-            // Try system font candidates in preference order until one covers all chars
-            for (const candidate of (0, system_fonts_1.discoverSystemFontCandidates)()) {
+            // Try system font candidates lazily in preference order until one
+            // covers all chars. Iterating instead of materializing the full
+            // candidate list lets us stop the moment a match is found, which
+            // avoids the cost of recursively scanning every system font dir.
+            for (const candidate of (0, system_fonts_1.iterateSystemFontCandidates)()) {
                 try {
                     const testTtf = (0, ttf_parser_1.parseTtf)(candidate);
                     const allCovered = [...nonWinAnsi].every(cp => testTtf.cmap.has(cp));

package/dist/cjs/modules/word/advanced/field-engine.js

@@ -184,32 +184,160 @@ function parseSeqSwitches(args) {
 }
 /** Parse IF field: IF expr1 op expr2 "trueText" "falseText" */
 function parseIfField(args) {
-    // Pattern: expr1 = expr2 "trueText" "falseText"
-    // Supports both quoted and unquoted operands.
-    // Two-character operators must come first or `<=` would match `<` only.
-    const match = /^"?([^"=<>!]*?)"?\s*(<=|>=|<>|=|<|>)\s*"?([^"]*?)"?\s+"([^"]*)"\s+"([^"]*)"/.exec(args);
-    if (match) {
-        return {
-            left: match[1].trim(),
-            operator: match[2],
-            right: match[3].trim(),
-            trueText: match[4],
-            falseText: match[5]
-        };
-    }
-    // Simpler pattern without quotes on operands
-    const simpleMatch = /^(\S+)\s*(<=|>=|<>|=|<|>)\s*(\S+)\s+"([^"]*)"\s+"([^"]*)"/.exec(args);
-    if (simpleMatch) {
-        return {
-            left: simpleMatch[1],
-            operator: simpleMatch[2],
-            right: simpleMatch[3],
-            trueText: simpleMatch[4],
-            falseText: simpleMatch[5]
-        };
+    // Hand-rolled parser used in place of the previous chained regex
+    // (`/^"?([^"=<>!]*?)"?\s*(<=|>=|<>|=|<|>)\s*"?([^"]*?)"?\s+"([^"]*)"\s+"([^"]*)"/`).
+    // CodeQL flagged that regex as polynomial-redos. The grammar is also
+    // permissive in ways the regex captured implicitly: real Word IF
+    // fields contain operands such as `MERGEFIELD foo` (with internal
+    // whitespace) and operands wrapped in quotes. The scanner below
+    // mirrors the regex's accepted shape:
+    //
+    //   args := SP* leftOperand SP* op SP* rightOperand SP+ "trueText" SP+ "falseText" …
+    //
+    // where `leftOperand` runs up to the first comparison operator that
+    // is not inside a quoted span, and `rightOperand` runs up to the
+    // first `"` that begins the trueText literal.
+    // 1. Find the comparison operator outside any quoted span.
+    const opPos = findIfOperator(args, 0);
+    if (!opPos) {
+        return null;
+    }
+    // 2. Left operand: everything before the operator, with surrounding
+    //    whitespace and outer quotes stripped.
+    const left = stripOuterQuotes(args.slice(0, opPos.start).trim());
+    // 3. Right operand: text between the operator and the first quoted
+    //    literal, with surrounding whitespace and outer quotes stripped.
+    let cursor = opPos.next;
+    // Scan to the next `"` that is not the immediate value-quoted operand.
+    // We have to be careful: the right operand itself may be quoted, e.g.
+    // `1 = "bar" "y" "n"`. To match the previous regex we adopt: skip
+    // whitespace, optionally consume one quoted span as the right operand,
+    // otherwise consume up to the next whitespace+`"` boundary.
+    cursor = skipSpaces(args, cursor);
+    let right;
+    if (args.charCodeAt(cursor) === 0x22 /* '"' */) {
+        const close = args.indexOf('"', cursor + 1);
+        if (close < 0) {
+            return null;
+        }
+        right = args.slice(cursor + 1, close);
+        cursor = close + 1;
+    }
+    else {
+        // Read until the next `"` (which begins the trueText literal).
+        const nextQuote = args.indexOf('"', cursor);
+        if (nextQuote < 0) {
+            return null;
+        }
+        right = args.slice(cursor, nextQuote).trim();
+        cursor = nextQuote;
+    }
+    // 4. trueText (required quoted string).
+    cursor = skipSpaces(args, cursor);
+    const trueRead = readQuotedString(args, cursor);
+    if (!trueRead) {
+        return null;
+    }
+    cursor = skipSpaces(args, trueRead.next);
+    // 5. falseText (required quoted string).
+    const falseRead = readQuotedString(args, cursor);
+    if (!falseRead) {
+        return null;
+    }
+    return {
+        left,
+        operator: opPos.value,
+        right,
+        trueText: trueRead.value,
+        falseText: falseRead.value
+    };
+}
+/**
+ * Find the first IF-field comparison operator (`<=`, `>=`, `<>`, `=`,
+ * `<`, `>`) starting at `from`, skipping over any quoted (`"…"`) spans
+ * so that operators inside operand strings are not mistaken for the
+ * top-level comparator.
+ *
+ * Bare `!` is reported as "no operator" rather than absorbed into the
+ * preceding operand: the previous regex excluded `!` from the left
+ * operand character class, so `1 != 1 …` was rejected outright. We
+ * preserve that rejection here to avoid silently parsing `!=` (not a
+ * Word IF-field operator) as `=` with `!` glued to the left operand.
+ */
+function findIfOperator(s, from) {
+    const n = s.length;
+    let i = from;
+    while (i < n) {
+        const c = s.charCodeAt(i);
+        if (c === 0x22 /* '"' */) {
+            // Skip quoted span.
+            const close = s.indexOf('"', i + 1);
+            if (close < 0) {
+                return null;
+            }
+            i = close + 1;
+            continue;
+        }
+        if (c === 0x21 /* '!' */) {
+            // Reject `!` outside quotes — matches the previous regex behaviour.
+            return null;
+        }
+        if (c === 0x3c /* '<' */) {
+            const next = s.charCodeAt(i + 1);
+            if (next === 0x3d) {
+                return { start: i, next: i + 2, value: "<=" };
+            }
+            if (next === 0x3e) {
+                return { start: i, next: i + 2, value: "<>" };
+            }
+            return { start: i, next: i + 1, value: "<" };
+        }
+        if (c === 0x3e /* '>' */) {
+            if (s.charCodeAt(i + 1) === 0x3d) {
+                return { start: i, next: i + 2, value: ">=" };
+            }
+            return { start: i, next: i + 1, value: ">" };
+        }
+        if (c === 0x3d /* '=' */) {
+            return { start: i, next: i + 1, value: "=" };
+        }
+        i++;
     }
     return null;
 }
+/**
+ * Strip a single matched pair of outer quotes (`"…"`) from a trimmed
+ * operand. Mirrors the implicit `"?…"?` shape of the original regex.
+ */
+function stripOuterQuotes(s) {
+    if (s.length >= 2 && s.charCodeAt(0) === 0x22 && s.charCodeAt(s.length - 1) === 0x22) {
+        return s.slice(1, -1);
+    }
+    return s;
+}
+function skipSpaces(s, from) {
+    const n = s.length;
+    let i = from;
+    while (i < n) {
+        const c = s.charCodeAt(i);
+        if (c !== 0x20 && c !== 0x09 && c !== 0x0a && c !== 0x0d) {
+            break;
+        }
+        i++;
+    }
+    return i;
+}
+/** Read a quoted (`"…"`) string starting at `from`, or return null. */
+function readQuotedString(s, from) {
+    if (s.charCodeAt(from) !== 0x22 /* '"' */) {
+        return null;
+    }
+    const close = s.indexOf('"', from + 1);
+    if (close < 0) {
+        return null;
+    }
+    return { value: s.slice(from + 1, close), next: close + 1 };
+}
 /** Parse STYLEREF field to get the style name. */
 function parseStyleRef(args) {
     // STYLEREF "StyleName" or STYLEREF StyleName

package/dist/cjs/modules/word/advanced/math-convert.js

@@ -409,7 +409,8 @@ function parseMMLTree(xml) {
                 // forever (indexOf returning -1 used to set pos = 0, hanging the CPU).
                 const end = xml.indexOf(">", pos);
                 if (end === -1) {
-                    pos = xml.length;
+                    // Malformed input — stop parsing. (`pos` is unused after the
+                    // outer loop terminates, so no further assignment is needed.)
                     break;
                 }
                 pos = end + 1;

package/dist/cjs/modules/word/advanced/style-map.js

@@ -300,14 +300,52 @@ function parseTarget(targetStr) {
         }
         const tagName = tagMatch[1];
         const className = tagMatch[2] ? tagMatch[2].substring(1).replace(/\./g, " ") : undefined;
-        // Parse attributes [key=value]
+        // Parse attributes [key=value]. Implemented as a linear scan rather
+        // than a global regex so that adversarial mapping strings cannot
+        // trigger CodeQL's `js/polynomial-redos`. The regex form
+        // `/\[([^=]+)=([^\]]+)\]/g` exhibits backtracking on inputs like
+        // `[xxxxxxxxxxxxx`.
         let attributes;
-        if (tagMatch[3]) {
+        const attrSection = tagMatch[3];
+        if (attrSection) {
             attributes = {};
-            const attrRegex = /\[([^=]+)=([^\]]+)\]/g;
-            let attrMatch;
-            while ((attrMatch = attrRegex.exec(tagMatch[3])) !== null) {
-                attributes[attrMatch[1]] = attrMatch[2].replace(/^['"]|['"]$/g, "");
+            const len = attrSection.length;
+            let i = 0;
+            while (i < len) {
+                if (attrSection.charCodeAt(i) !== 0x5b /* '[' */) {
+                    i++;
+                    continue;
+                }
+                const eq = attrSection.indexOf("=", i + 1);
+                const close = attrSection.indexOf("]", i + 1);
+                if (close < 0) {
+                    break;
+                }
+                if (eq < 0 || eq > close) {
+                    // No `=` inside this `[...]` — skip past it.
+                    i = close + 1;
+                    continue;
+                }
+                const key = attrSection.slice(i + 1, eq);
+                const rawValue = attrSection.slice(eq + 1, close);
+                // Strip a single leading and trailing quote (' or "). Two
+                // independent linear strips replace the previous
+                // `/^['"]|['"]$/g` regex.
+                let v = rawValue;
+                if (v.length >= 2) {
+                    const first = v.charCodeAt(0);
+                    if (first === 0x27 || first === 0x22) {
+                        v = v.slice(1);
+                    }
+                }
+                if (v.length >= 1) {
+                    const last = v.charCodeAt(v.length - 1);
+                    if (last === 0x27 || last === 0x22) {
+                        v = v.slice(0, -1);
+                    }
+                }
+                attributes[key] = v;
+                i = close + 1;
             }
         }
         return { tagName, className: className || undefined, attributes };