Skip to content

Commit d8ba39a

Browse files
committed
Fix ReDoS vulnerability
1 parent b5894c1 commit d8ba39a

File tree

3 files changed

+10
-2
lines changed

3 files changed

+10
-2
lines changed

index.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
export default function semverRegex() {
2-
return /(?:(?<=^v?|\sv?)(?:(?:0|[1-9]\d{0,9})\.){2}(?:0|[1-9]\d{0,9})(?:-(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?){0,100}(?:\.(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?))*?){0,100}(?:\+[\da-z-]+?(?:\.[\da-z-]+?)*?){0,100}\b){1,200}/gi;
2+
return /(?:(?<=^v?|\sv?)(?:(?:0|[1-9]\d{0,9}?)\.){2}(?:0|[1-9]\d{0,9}?)(?:-(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?){0,100}?(?:\.(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?))*?){0,100}?(?:\+[\da-z-]+?(?:\.[\da-z-]+?)*?){0,100}?\b){1,200}?/gi;
33
}

package.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@
3333
"semantic"
3434
],
3535
"devDependencies": {
36-
"ava": "^3.15.0",
36+
"ava": "^4.2.0",
3737
"tsd": "^0.14.0",
3838
"xo": "^0.39.1"
3939
}

test.js

+8
Original file line numberDiff line numberDiff line change
@@ -119,4 +119,12 @@ test('invalid version does not cause catatrophic backtracking', t => {
119119
const difference = Date.now() - start;
120120
t.true(difference < 10, `Execution time: ${difference}`);
121121
}
122+
123+
for (let index = 1; index <= 20; index++) {
124+
const start = Date.now();
125+
const fixture = `0.0.1-${'-.--'.repeat(index)} `;
126+
semverRegex().test(fixture);
127+
const difference = Date.now() - start;
128+
t.true(difference < 10, `Execution time: ${difference}`);
129+
}
122130
});

0 commit comments

Comments
 (0)