fix: backtracking in CSS tokenizer rules (#3626)

**What problem is this PR intended to solve?**

Addresses three regular expression backtracking / redos issues.

ref: GHSA-c4rq-3m3g-8wgx

**Have you included adequate test coverage?**

Yes, added benchmark suite tests to assert linearity of regex
performance.

**Does this change affect the behavior of either the C or the Java
implementations?**

N/A

Author: flavorjones

lib/nokogiri/css/tokenizer.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 #--
 # DO NOT MODIFY!!!!
-# This file is automatically generated by rex 1.0.7
+# This file is automatically generated by rex 1.0.8
 # from lexical definition file "lib/nokogiri/css/tokenizer.rex".
 #++
 
@@ -63,13 +63,13 @@ def _next_token
                   when (text = @ss.scan(/has\([\s]*/))
                      action { [:HAS, text] }
 
-                  when (text = @ss.scan(/-?([_A-Za-z]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))([_A-Za-z0-9-]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))*\([\s]*/))
+                  when (text = @ss.scan(/-?(?>[_A-Za-z]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))(?>[_A-Za-z0-9-]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))*\([\s]*/))
                      action { [:FUNCTION, text] }
 
-                  when (text = @ss.scan(/-?([_A-Za-z]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))([_A-Za-z0-9-]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))*/))
+                  when (text = @ss.scan(/-?(?>[_A-Za-z]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))(?>[_A-Za-z0-9-]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))*/))
                      action { [:IDENT, text] }
 
-                  when (text = @ss.scan(/\#([_A-Za-z0-9-]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))+/))
+                  when (text = @ss.scan(/\#(?>[_A-Za-z0-9-]|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))+/))
                      action { [:HASH, text] }
 
                   when (text = @ss.scan(/[\s]*~=[\s]*/))
@@ -132,7 +132,7 @@ def _next_token
                   when (text = @ss.scan(/[\s]+/))
                      action { [:S, text] }
 
-                  when (text = @ss.scan(/("([^\n\r\f"]|(\n|\r\n|\r|\f)|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))*(?<!\\)(?:\\{2})*"|'([^\n\r\f']|(\n|\r\n|\r|\f)|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))*(?<!\\)(?:\\{2})*')/))
+                  when (text = @ss.scan(/("(?>[^\n\r\f"\\]|\\?(\n|\r\n|\r|\f)|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))*"|'(?>[^\n\r\f'\\]|\\?(\n|\r\n|\r|\f)|[^\0-\177]|(\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f]))*')/))
                      action { [:STRING, text] }
 
                   when (text = @ss.scan(/./))

lib/nokogiri/css/tokenizer.rex

@@ -11,13 +11,13 @@ macro
   unicode   \\[0-9A-Fa-f]{1,6}(\r\n|[\s])?
 
   escape    ({unicode}|\\[^\n\r\f0-9A-Fa-f])
-  nmchar    ([_A-Za-z0-9-]|{nonascii}|{escape})
-  nmstart   ([_A-Za-z]|{nonascii}|{escape})
+  nmchar    (?>[_A-Za-z0-9-]|{nonascii}|{escape})
+  nmstart   (?>[_A-Za-z]|{nonascii}|{escape})
   name      {nmstart}{nmchar}*
   ident     -?{name}
   charref   {nmchar}+
-  string1   "([^\n\r\f"]|{nl}|{nonascii}|{escape})*(?<!\\)(?:\\{2})*"
-  string2   '([^\n\r\f']|{nl}|{nonascii}|{escape})*(?<!\\)(?:\\{2})*'
+  string1   "(?>[^\n\r\f"\\]|\\?{nl}|{nonascii}|{escape})*"
+  string2   '(?>[^\n\r\f'\\]|\\?{nl}|{nonascii}|{escape})*'
   string    ({string1}|{string2})
 
 rule

test/css/bench_tokenizer.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "helper"
+require "timeout"
+
+class TestBenchCSSTokenizer < Nokogiri::TestBenchmark
+  # JRuby's JIT warmup makes per-call timings too noisy for an R**2 fit;
+  # the ReDoS property is a regex property, not an engine one, so MRI
+  # coverage is sufficient.
+  before { skip("benchmarks are too noisy under JRuby JIT") if Nokogiri.jruby? }
+
+  # GHSA-c4rq-3m3g-8wgx: ambiguous regex in the STRING rule backtracks
+  # exponentially on unterminated `[foo="\a\a\a..."` input. Each sample
+  # repeats the parse to average out per-call jitter.
+  describe "css string tokenizer (cross-branch ambiguity)" do
+    bench_range { bench_linear(10_000, 60_000, 10_000) }
+
+    bench_performance_linear("redos in STRING rule", 0.99) do |n|
+      Timeout.timeout(5) do
+        payload = %([foo=") + ('\\a' * n) + "x"
+        50.times do
+          Nokogiri::CSS.xpath_for(payload)
+        rescue Nokogiri::CSS::SyntaxError
+        end
+      end
+    end
+  end
+
+  # The unicode escape's `[0-9A-Fa-f]{1,6}` quantifier admits 6 different
+  # match lengths per escape position, which without an atomic group
+  # multiplies into 6**N parses on unterminated `[foo="\aaaaaa\aaaaaa..."`.
+  describe "css string tokenizer (unicode escape length ambiguity)" do
+    bench_range { bench_linear(2_000, 12_000, 2_000) }
+
+    bench_performance_linear("redos in unicode escape length", 0.99) do |n|
+      Timeout.timeout(5) do
+        payload = %([foo=") + ('\\aaaaaa' * n) + "x"
+        150.times do
+          Nokogiri::CSS.xpath_for(payload)
+        rescue Nokogiri::CSS::SyntaxError
+        end
+      end
+    end
+  end
+
+  # The function-call rule {ident}\({w} requires `(` after an identifier.
+  # If the `(` is missing and the ident-shaped prefix contains many
+  # `\<6-hex>` escapes, the engine backtracks through the {1,6}
+  # ambiguity inside `{nmchar}*` for 6**N parses.
+  describe "css ident tokenizer (function-rule failure ambiguity)" do
+    bench_range { bench_linear(50_000, 300_000, 50_000) }
+
+    bench_performance_linear("redos in function rule", 0.99) do |n|
+      Timeout.timeout(5) do
+        payload = ('\\aaaaaa' * n) + "X"
+        1000.times do
+          Nokogiri::CSS.xpath_for(payload)
+        rescue Nokogiri::CSS::SyntaxError
+        end
+      end
+    end
+  end
+end