Fix ReDoS vulnerability

sindresorhus · sindresorhus · commit d8ba39a528c1 · 2022-05-13T16:58:40.000+07:00
diff --git a/index.js b/index.js
@@ -1,3 +1,3 @@
 export default function semverRegex() {
-	return /(?:(?<=^v?|\sv?)(?:(?:0|[1-9]\d{0,9})\.){2}(?:0|[1-9]\d{0,9})(?:-(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?){0,100}(?:\.(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?))*?){0,100}(?:\+[\da-z-]+?(?:\.[\da-z-]+?)*?){0,100}\b){1,200}/gi;
+	return /(?:(?<=^v?|\sv?)(?:(?:0|[1-9]\d{0,9}?)\.){2}(?:0|[1-9]\d{0,9}?)(?:-(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?){0,100}?(?:\.(?:0|[1-9]\d*?|[\da-z-]*?[a-z-][\da-z-]*?))*?){0,100}?(?:\+[\da-z-]+?(?:\.[\da-z-]+?)*?){0,100}?\b){1,200}?/gi;
 }
diff --git a/package.json b/package.json
@@ -33,7 +33,7 @@
 		"semantic"
 	],
 	"devDependencies": {
-		"ava": "^3.15.0",
+		"ava": "^4.2.0",
 		"tsd": "^0.14.0",
 		"xo": "^0.39.1"
 	}
diff --git a/test.js b/test.js
@@ -119,4 +119,12 @@ test('invalid version does not cause catatrophic backtracking', t => {
 		const difference = Date.now() - start;
 		t.true(difference < 10, `Execution time: ${difference}`);
 	}
+
+	for (let index = 1; index <= 20; index++) {
+		const start = Date.now();
+		const fixture = `0.0.1-${'-.--'.repeat(index)} `;
+		semverRegex().test(fixture);
+		const difference = Date.now() - start;
+		t.true(difference < 10, `Execution time: ${difference}`);
+	}
 });

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`export default function semverRegex() {`
`2`		`- return /(?:(?<=^v?\|\sv?)(?:(?:0\|[1-9]\d{0,9})\.){2}(?:0\|[1-9]\d{0,9})(?:-(?:0\|[1-9]\d?\|[\da-z-]?[a-z-][\da-z-]?){0,100}(?:\.(?:0\|[1-9]\d?\|[\da-z-]?[a-z-][\da-z-]?))?){0,100}(?:\+[\da-z-]+?(?:\.[\da-z-]+?)?){0,100}\b){1,200}/gi;`
	`2`	`+ return /(?:(?<=^v?\|\sv?)(?:(?:0\|[1-9]\d{0,9}?)\.){2}(?:0\|[1-9]\d{0,9}?)(?:-(?:0\|[1-9]\d?\|[\da-z-]?[a-z-][\da-z-]?){0,100}?(?:\.(?:0\|[1-9]\d?\|[\da-z-]?[a-z-][\da-z-]?))?){0,100}?(?:\+[\da-z-]+?(?:\.[\da-z-]+?)?){0,100}?\b){1,200}?/gi;`
`3`	`3`	`}`