Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)

mmmsssttt404 · juliangruber · juliangruber · commit 36603d5f3599 · 2025-06-11T10:46:48.000+02:00
* Create redos.js

* Update index.js

* Update test/redos.js

---------

Co-authored-by: Julian Gruber &lt;julian@juliangruber.com&gt;
diff --git a/index.js b/index.js
@@ -116,7 +116,7 @@ function expand(str, isTop) {
     var isOptions = m.body.indexOf(',') >= 0;
     if (!isSequence && !isOptions) {
       // {a},b}
-      if (m.post.match(/,.*\}/)) {
+      if (m.post.match(/,(?!,).*\}/)) {
         str = m.pre + '{' + m.body + escClose + m.post;
         return expand(str);
       }
diff --git a/test/redos.js b/test/redos.js
@@ -0,0 +1,15 @@
+import test from 'node:test'
+import assert from 'assert'
+import expand from '../index.js'
+
+test('redos', function () {
+let str = "{a}" + ",".repeat(100000) + "\u0000";
+    let startTime = performance.now();
+    expand(str)
+    let endTime = performance.now();
+    let timeTaken = endTime - startTime;
+    assert.ok(timeTaken < 1000, `Expected time (${timeTaken}ms) to be less than 1000ms`);
+})
+
+
+

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ function expand(str, isTop) {`
`116`	`116`	`var isOptions = m.body.indexOf(',') >= 0;`
`117`	`117`	`if (!isSequence && !isOptions) {`
`118`	`118`	`// {a},b}`
`119`		`- if (m.post.match(/,.*\}/)) {`
	`119`	`+ if (m.post.match(/,(?!,).*\}/)) {`
`120`	`120`	`str = m.pre + '{' + m.body + escClose + m.post;`
`121`	`121`	`return expand(str);`
`122`	`122`	`}`