Skip to content

Commit

Permalink
fix: eliminate ReDoS
Browse files Browse the repository at this point in the history
This change fixes the regular expression denial of service
vulnerability.

This also fixes some incorrect tests that concealed a bug.

Fixes: gulpjs#32
Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
  • Loading branch information
Trott committed Feb 4, 2021
1 parent 2b24ebd commit 65606a9
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 5 deletions.
2 changes: 1 addition & 1 deletion index.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32';

var slash = '/';
var backslash = /\\/g;
var enclosure = /[\{\[].*[\/]*.*[\}\]]$/;
var enclosure = /[\{\[].*\/.*[\}\]]$/;
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;

Expand Down
15 changes: 11 additions & 4 deletions test/index.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,10 @@ describe('glob-parent', function() {
assert.equal(gp('path/\\*\\(a\\|b\\)/subdir/foo.*'), 'path/*(a|b)/subdir');
assert.equal(gp('path/\\[foo bar\\]/subdir/foo.*'), 'path/[foo bar]/subdir');
assert.equal(gp('path/\\[bar]/'), 'path/[bar]');
assert.equal(gp('path/\\[bar]'), 'path/[bar]');
assert.equal(gp('path/\\[bar]'), 'path');
assert.equal(gp('[bar]'), '.');
assert.equal(gp('[bar]/'), '.');
assert.equal(gp('./\\[bar]'), './[bar]');
assert.equal(gp('./\\[bar]'), '.');
assert.equal(gp('\\[bar]/'), '[bar]');
assert.equal(gp('\\!dir/*'), '!dir');
assert.equal(gp('[bar\\]/'), '.');
Expand All @@ -91,9 +91,9 @@ describe('glob-parent', function() {
assert.equal(gp('foo-\\(bar\\).md'), 'foo-');
} else {
assert.equal(gp('foo-\\(bar\\).md'), '.');
assert.equal(gp('\\[bar]'), '[bar]');
assert.equal(gp('\\[bar]'), '.');
assert.equal(gp('[bar\\]'), '.');
assert.equal(gp('\\{foo,bar\\}'), '{foo,bar}');
assert.equal(gp('\\{foo,bar\\}'), '.');
assert.equal(gp('{foo,bar\\}'), '.');
}

Expand Down Expand Up @@ -209,6 +209,13 @@ describe('glob2base test patterns', function() {

done();
});

it('should not be susceptible to SNYK-JS-GLOBPARENT-1016905', function(done) {
// This will time out if susceptible.
gp('{' + '/'.repeat(5000));

done();
});
});

if (isWin32) {
Expand Down

0 comments on commit 65606a9

Please sign in to comment.