Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix: Resolve ReDoS vulnerability from CVE-2021-35065 (#49)
  • Loading branch information
sttk committed Jul 20, 2021
1 parent 3ad9597 commit 3e9f04a
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 2 deletions.
27 changes: 25 additions & 2 deletions index.js
Expand Up @@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';

var slash = '/';
var backslash = /\\/g;
var enclosure = /[{[].*\/.*[}\]]$/;
var globby = /(^|[^\\])([{[]|\([^)]+$)/;
var escaped = /\\([!*?|[\](){}])/g;

Expand All @@ -24,7 +23,7 @@ module.exports = function globParent(str, opts) {
}

// special case for strings ending in enclosure containing path separator
if (enclosure.test(str)) {
if (isEnclosure(str)) {
str += slash;
}

Expand All @@ -39,3 +38,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};


function isEnclosure(str) {
var lastChar = str.slice(-1)

var enclosureStart;
switch (lastChar) {
case '}':
enclosureStart = '{';
break;
case ']':
enclosureStart = '[';
break;
default:
return false;
}

var foundIndex = str.indexOf(enclosureStart);
if (foundIndex < 0) {
return false;
}

return str.slice(foundIndex + 1, -1).includes(slash);
}
18 changes: 18 additions & 0 deletions test/index.test.js
Expand Up @@ -224,6 +224,24 @@ describe('glob2base test patterns', function () {

done();
});

it('should finish in reasonable time for \'{\' + \'/\'.repeat(n) [CVE-2021-35065]', function(done) {
this.timeout(1000);
gp('{' + '/'.repeat(500000));
done();
});

it('should finish in reasonable time for \'{\'.repeat(n)', function(done) {
this.timeout(1000);
gp('{'.repeat(500000));
done();
});

it('should finish in reasonable time for \'(\'.repeat(n)', function(done) {
this.timeout(1000);
gp('('.repeat(500000));
done();
});
});

if (isWin32) {
Expand Down

0 comments on commit 3e9f04a

Please sign in to comment.