Skip to content

Commit

Permalink
fix: eliminate ReDoS
Browse files Browse the repository at this point in the history
This change fixes a regular expression denial of service
vulnerability.

Fixes: gulpjs#32
Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
  • Loading branch information
Trott committed Feb 10, 2021
1 parent 2b24ebd commit 8995f8c
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
2 changes: 1 addition & 1 deletion index.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32';

var slash = '/';
var backslash = /\\/g;
var enclosure = /[\{\[].*[\/]*.*[\}\]]$/;
var enclosure = /[\{\[].*[\}\]]$/;
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;

Expand Down
7 changes: 7 additions & 0 deletions test/index.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,13 @@ describe('glob2base test patterns', function() {

done();
});

it('should not be susceptible to SNYK-JS-GLOBPARENT-1016905', function(done) {
// This will time out if susceptible.
gp('{' + '/'.repeat(5000));

done();
});
});

if (isWin32) {
Expand Down

0 comments on commit 8995f8c

Please sign in to comment.