Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Fix ReDoS vulnerability CVE-2021-35065 #49

Merged
merged 4 commits into from Jul 20, 2021
Merged

fix: Fix ReDoS vulnerability CVE-2021-35065 #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d16d629
fix: Fix ReDoS vulnerability CVE-2021-35065
sttk Jun 24, 2021
723eed9
test: Add a test case for ReDoS vulnerability
sttk Jun 24, 2021
9bc351f
fix: Modify regex to accept newlines and to avoid ReDoS by '{'.repeat(n)
sttk Jun 26, 2021
468dde3
fix: Modify to get rid of RegExp `enclosure`
sttk Jul 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
27 changes: 25 additions & 2 deletions index.js
View file
Open in desktop
Expand Up @@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';

var slash = '/';
var backslash = /\\/g;
var enclosure = /[{[].*\/.*[}\]]$/;
var globby = /(^|[^\\])([{[]|\([^)]+$)/;
var escaped = /\\([!*?|[\](){}])/g;

Expand All @@ -24,7 +23,7 @@ module.exports = function globParent(str, opts) {
}

// special case for strings ending in enclosure containing path separator
if (enclosure.test(str)) {
if (isEnclosure(str)) {
str += slash;
}

Expand All @@ -39,3 +38,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};


function isEnclosure(str) {
var lastChar = str.slice(-1)

var enclosureStart;
switch (lastChar) {
case '}':
enclosureStart = '{';
break;
case ']':
enclosureStart = '[';
break;
default:
return false;
}

var foundIndex = str.indexOf(enclosureStart);
if (foundIndex < 0) {
return false;
}

return str.slice(foundIndex + 1, -1).includes(slash);
}
Comment on lines +43 to +64
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our enclosure logic doesn't account for escaped brackets.

18 changes: 18 additions & 0 deletions test/index.test.js
View file
Open in desktop
Expand Up @@ -224,6 +224,24 @@ describe('glob2base test patterns', function () {

done();
});

it('should finish in reasonable time for \'{\' + \'/\'.repeat(n) [CVE-2021-35065]', function(done) {
this.timeout(1000);
gp('{' + '/'.repeat(500000));
done();
});

it('should finish in reasonable time for \'{\'.repeat(n)', function(done) {
this.timeout(1000);
gp('{'.repeat(500000));
done();
});

it('should finish in reasonable time for \'(\'.repeat(n)', function(done) {
this.timeout(1000);
gp('('.repeat(500000));
done();
});
});

if (isWin32) {
Expand Down