From f9231168b0041fea3f8f954b3cceb56269fc6366 Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Sat, 6 Mar 2021 13:16:16 -0800 Subject: [PATCH] fix: eliminate ReDoS (#36) This change fixes a regular expression denial of service vulnerability. Refs: https://github.com/gulpjs/glob-parent/issues/32 Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 --- index.js | 2 +- test/index.test.js | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index ef65a47..09e257e 100644 --- a/index.js +++ b/index.js @@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32'; var slash = '/'; var backslash = /\\/g; -var enclosure = /[\{\[].*[\/]*.*[\}\]]$/; +var enclosure = /[\{\[].*[\}\]]$/; var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/; var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g; diff --git a/test/index.test.js b/test/index.test.js index c13bf04..0a0291e 100644 --- a/test/index.test.js +++ b/test/index.test.js @@ -209,6 +209,13 @@ describe('glob2base test patterns', function() { done(); }); + + it('should not be susceptible to SNYK-JS-GLOBPARENT-1016905', function(done) { + // This will time out if susceptible. + gp('{' + '/'.repeat(5000)); + + done(); + }); }); if (isWin32) {