[DevTools] Fix ReDoS vulnerability in Firefox stack trace parser

[yujiteshima]

Summary

This PR fixes a ReDoS (Regular Expression Denial of Service) vulnerability in the Firefox stack trace parser.

Fixes #35490

The original regex pattern (?:.*".+")?[^@]* in firefoxFrameRegExp contained nested quantifiers that could cause catastrophic backtracking when processing malicious inputs. With a crafted input containing 2000 repeated patterns, the regex took over 2.5 seconds to process, causing the DevTools to become unresponsive.

The fix: Changed .*".+" to "[^"]+" using a negated character class. This achieves O(n) linear time complexity while preserving identical matching behavior for all valid Firefox stack frames.

Input	Before	After
Malicious (2000 repeats)	2500+ ms	0 ms
Valid Firefox stack frames	✅ Works	✅ Works

How did you test this change?

1. Verified the fix resolves the vulnerability:

const firefoxFrameRegExp = /^((?:"[^"]+")?[^@]*)@(.+):(\d+):(\d+)$/;
const nullChar = String.fromCharCode(0);
const maliciousInput = ' ' + ('"' + nullChar).repeat(2000) + '\r!\r!';

const start = Date.now();
firefoxFrameRegExp.test(maliciousInput);
console.log(Date.now() - start + 'ms'); // 0ms (was 2500+ ms)

2. Verified existing functionality is preserved:

// All valid Firefox stack traces still parse correctly
'tt@https://react.dev/_next/static/chunks/363.js:1:165558' // ✅
'f@https://react.dev/_next/static/chunks/pages/app.js:1:8535' // ✅
'"quoted"@file:1:1' // ✅
'funcName@file:1:1' // ✅

3. Added a regression test to prevent future ReDoS vulnerabilities in this regex.

4. Ran the standard checks:

yarn linc            # ✅ Lint passed
yarn flow dom-node   # ✅ No errors
yarn prettier        # ✅ Formatted

[guiyi-he]

Hi， @yujiteshima @gnoff

Whether you need to actively request a review will determine whether the subsequent process will proceed.

Best regards
Guiyi He