From a4ab4a300075327c1bae2c95ae0dacc9d035fd7b Mon Sep 17 00:00:00 2001
From: Gar <gar+gh@danger.computer>
Date: Wed, 20 Nov 2024 12:49:38 -0800
Subject: [PATCH] fix: break up greedy host fragment parsing regex (#274)

It's easier to reason about each step this way, and also not susceptible
to redos.
---
 lib/hosts.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/hosts.js b/lib/hosts.js
index 013712b7..d610993e 100644
--- a/lib/hosts.js
+++ b/lib/hosts.js
@@ -4,7 +4,11 @@
 
 const maybeJoin = (...args) => args.every(arg => arg) ? args.join('') : ''
 const maybeEncode = (arg) => arg ? encodeURIComponent(arg) : ''
-const formatHashFragment = (f) => f.toLowerCase().replace(/^\W+|\/|\W+$/g, '').replace(/\W+/g, '-')
+const formatHashFragment = (f) => f.toLowerCase()
+  .replace(/^\W+/g, '') // strip leading non-characters
+  .replace(/\W+$/g, '') // strip trailing non-characters
+  .replace(/\//g, '') // strip all slashes
+  .replace(/\W+/g, '-') // replace remaining non-characters with '-'
 
 const defaults = {
   sshtemplate: ({ domain, user, project, committish }) =>