Skip to content
Permalink
Browse files
fix: Resolve ReDoS vulnerability from CVE-2021-35065 (#49)
  • Loading branch information
sttk committed Jul 20, 2021
1 parent 3ad9597 commit 3e9f04a3b4349db7e1962d87c9a7398cda51f339
Showing with 43 additions and 2 deletions.
  1. +25 −2 index.js
  2. +18 −0 test/index.test.js
@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';

var slash = '/';
var backslash = /\\/g;
var enclosure = /[{[].*\/.*[}\]]$/;
var globby = /(^|[^\\])([{[]|\([^)]+$)/;
var escaped = /\\([!*?|[\](){}])/g;

@@ -24,7 +23,7 @@ module.exports = function globParent(str, opts) {
}

// special case for strings ending in enclosure containing path separator
if (enclosure.test(str)) {
if (isEnclosure(str)) {
str += slash;
}

@@ -39,3 +38,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};


function isEnclosure(str) {
var lastChar = str.slice(-1)

var enclosureStart;
switch (lastChar) {
case '}':
enclosureStart = '{';
break;
case ']':
enclosureStart = '[';
break;
default:
return false;
}

var foundIndex = str.indexOf(enclosureStart);
if (foundIndex < 0) {
return false;
}

return str.slice(foundIndex + 1, -1).includes(slash);
}
@@ -224,6 +224,24 @@ describe('glob2base test patterns', function () {

done();
});

it('should finish in reasonable time for \'{\' + \'/\'.repeat(n) [CVE-2021-35065]', function(done) {
this.timeout(1000);
gp('{' + '/'.repeat(500000));
done();
});

it('should finish in reasonable time for \'{\'.repeat(n)', function(done) {
this.timeout(1000);
gp('{'.repeat(500000));
done();
});

it('should finish in reasonable time for \'(\'.repeat(n)', function(done) {
this.timeout(1000);
gp('('.repeat(500000));
done();
});
});

if (isWin32) {

0 comments on commit 3e9f04a

Please sign in to comment.