Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)

mmmsssttt404 · juliangruber · web-flow · commit 0b6a9781e18e · 2025-06-11T09:02:59.000+02:00
* Create redos.js

* Update index.js

* Update test/redos.js

---------

Co-authored-by: Julian Gruber &lt;julian@juliangruber.com&gt;
diff --git a/index.js b/index.js
@@ -154,7 +154,7 @@ function expand (str, isTop) {
     const isOptions = m.body.indexOf(',') >= 0
     if (!isSequence && !isOptions) {
       // {a},b}
-      if (m.post.match(/,.*\}/)) {
+      if (m.post.match(/,(?!,).*\}/)) {
         str = m.pre + '{' + m.body + escClose + m.post
         return expand(str)
       }
diff --git a/test/redos.js b/test/redos.js
@@ -0,0 +1,15 @@
+import test from 'node:test'
+import assert from 'assert'
+import expand from '../index.js'
+
+test('redos', function () {
+let str = "{a}" + ",".repeat(100000) + "\u0000";
+    let startTime = performance.now();
+    expand(str)
+    let endTime = performance.now();
+    let timeTaken = endTime - startTime;
+    assert.ok(timeTaken < 1000, `Expected time (${timeTaken}ms) to be less than 1000ms`);
+})
+
+
+

Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ function expand (str, isTop) {`
`154`	`154`	`const isOptions = m.body.indexOf(',') >= 0`
`155`	`155`	`if (!isSequence && !isOptions) {`
`156`	`156`	`// {a},b}`
`157`		`- if (m.post.match(/,.*\}/)) {`
	`157`	`+ if (m.post.match(/,(?!,).*\}/)) {`
`158`	`158`	`str = m.pre + '{' + m.body + escClose + m.post`
`159`	`159`	`return expand(str)`
`160`	`160`	`}`