fix: eliminate ReDoS

This change fixes a regular expression denial of service vulnerability. Refs: #32 Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
gulpjs · Feb 10, 2021 · c6db864 · c6db864
1 parent 2b24ebd
commit c6db864
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/index.js b/index.js
@@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32';
 
 var slash = '/';
 var backslash = /\\/g;
-var enclosure = /[\{\[].*[\/]*.*[\}\]]$/;
+var enclosure = /[\{\[].*[\}\]]$/;
 var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
 var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
 

diff --git a/test/index.test.js b/test/index.test.js
@@ -209,6 +209,13 @@ describe('glob2base test patterns', function() {
 
     done();
   });
+
+  it('should not be susceptible to SNYK-JS-GLOBPARENT-1016905', function(done) {
+    // This will time out if susceptible.
+    gp('{' + '/'.repeat(5000));
+
+    done();
+  });
 });
 
 if (isWin32) {