From 09e1086512bd50f2767b8c32fa74c0ff0be4c8cd Mon Sep 17 00:00:00 2001
From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
Date: Thu, 13 May 2021 10:53:50 -0400
Subject: [PATCH] fixed regexes to avoid ReDoS attacks

---
 .npmignore |  1 +
 index.js   |  6 +++---
 redos.js   | 20 ++++++++++++++++++++
 3 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 redos.js

diff --git a/.npmignore b/.npmignore
index 2e0ff9d..fa040a0 100644
--- a/.npmignore
+++ b/.npmignore
@@ -1,2 +1,3 @@
 .travis.yml
+redos.js
 test.js
\ No newline at end of file
diff --git a/index.js b/index.js
index 3b7601f..e6b2af1 100644
--- a/index.js
+++ b/index.js
@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32';
 // Regex to split a windows path into three parts: [*, device, slash,
 // tail] windows-only
 var splitDeviceRe =
-    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
+    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
 
 // Regex to split the tail part of the above into [*, dir, basename, ext]
 var splitTailRe =
-    /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
+    /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
 
 var win32 = {};
 
@@ -51,7 +51,7 @@ win32.parse = function(pathString) {
 // Split a filename into [root, dir, basename, ext], unix version
 // 'root' is just a slash, or nothing.
 var splitPathRe =
-    /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
+    /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
 var posix = {};
 
 
diff --git a/redos.js b/redos.js
new file mode 100644
index 0000000..261947f
--- /dev/null
+++ b/redos.js
@@ -0,0 +1,20 @@
+var pathParse = require('.');
+
+function build_attack(n) {
+    var ret = ""
+    for (var i = 0; i < n; i++) {
+        ret += "/"
+    }
+    return ret + "◎";
+}
+
+for(var i = 1; i <= 5000000; i++) {
+    if (i % 10000 == 0) {
+        var time = Date.now();
+        var attack_str = build_attack(i)
+        pathParse.posix(attack_str);
+        pathParse.win32(attack_str);
+        var time_cost = Date.now() - time;
+        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
+    }
+}