Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)

mmmsssttt404 · juliangruber · juliangruber · commit c3c73c8b088d · 2025-06-11T10:51:35.000+02:00
* Create redos.js

* Update index.js

* Update test/redos.js

---------

Co-authored-by: Julian Gruber &lt;julian@juliangruber.com&gt;
diff --git a/index.js b/index.js
@@ -109,7 +109,7 @@ function expand(str, isTop) {
   var isOptions = m.body.indexOf(',') >= 0;
   if (!isSequence && !isOptions) {
     // {a},b}
-    if (m.post.match(/,.*\}/)) {
+    if (m.post.match(/,(?!,).*\}/)) {
       str = m.pre + '{' + m.body + escClose + m.post;
       return expand(str);
     }
diff --git a/test/redos.js b/test/redos.js
@@ -0,0 +1,15 @@
+import test from 'node:test'
+import assert from 'assert'
+import expand from '../index.js'
+
+test('redos', function () {
+let str = "{a}" + ",".repeat(100000) + "\u0000";
+    let startTime = performance.now();
+    expand(str)
+    let endTime = performance.now();
+    let timeTaken = endTime - startTime;
+    assert.ok(timeTaken < 1000, `Expected time (${timeTaken}ms) to be less than 1000ms`);
+})
+
+
+

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ function expand(str, isTop) {`
`109`	`109`	`var isOptions = m.body.indexOf(',') >= 0;`
`110`	`110`	`if (!isSequence && !isOptions) {`
`111`	`111`	`// {a},b}`
`112`		`- if (m.post.match(/,.*\}/)) {`
	`112`	`+ if (m.post.match(/,(?!,).*\}/)) {`
`113`	`113`	`str = m.pre + '{' + m.body + escClose + m.post;`
`114`	`114`	`return expand(str);`
`115`	`115`	`}`