Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)

mmmsssttt404 · juliangruber · juliangruber · commit 15f9b3c75ebf · 2025-06-11T10:38:58.000+02:00
* Create redos.js

* Update index.js

* Update test/redos.js

---------

Co-authored-by: Julian Gruber &lt;julian@juliangruber.com&gt;
diff --git a/index.js b/index.js
@@ -144,7 +144,7 @@ function expand (str, isTop) {
     const isOptions = m.body.indexOf(',') >= 0
     if (!isSequence && !isOptions) {
       // {a},b}
-      if (m.post.match(/,.*\}/)) {
+      if (m.post.match(/,(?!,).*\}/)) {
         str = m.pre + '{' + m.body + escClose + m.post
         return expand(str)
       }
diff --git a/test/redos.js b/test/redos.js
@@ -0,0 +1,15 @@
+import test from 'node:test'
+import assert from 'assert'
+import expand from '../index.js'
+
+test('redos', function () {
+let str = "{a}" + ",".repeat(100000) + "\u0000";
+    let startTime = performance.now();
+    expand(str)
+    let endTime = performance.now();
+    let timeTaken = endTime - startTime;
+    assert.ok(timeTaken < 1000, `Expected time (${timeTaken}ms) to be less than 1000ms`);
+})
+
+
+

Original file line number	Diff line number	Diff line change
`@@ -144,7 +144,7 @@ function expand (str, isTop) {`
`144`	`144`	`const isOptions = m.body.indexOf(',') >= 0`
`145`	`145`	`if (!isSequence && !isOptions) {`
`146`	`146`	`// {a},b}`
`147`		`- if (m.post.match(/,.*\}/)) {`
	`147`	`+ if (m.post.match(/,(?!,).*\}/)) {`
`148`	`148`	`str = m.pre + '{' + m.body + escClose + m.post`
`149`	`149`	`return expand(str)`
`150`	`150`	`}`