fix: update regular expression to remove ReDOS

Fixes: #2
stevemao · Sep 4, 2021 · 6d89476 · 6d89476
1 parent 0cd87f5
commit 6d89476
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/index.js b/index.js
@@ -1,6 +1,6 @@
 'use strict';
 
-var regex = /^(?:\r\n|\n|\r)+|(?:\r\n|\n|\r)+$/g;
+var regex = /^(?:\r|\n)+|(?:\r|\n)+$/g;
 
 module.exports = function (str) {
 	return str.replace(regex, '');

diff --git a/test.js b/test.js
@@ -19,3 +19,10 @@ it('should trim off \\r\\n', function () {
 	assert.strictEqual(trimOffNewlines('\r\nunicorns\r\n'), 'unicorns');
 	assert.strictEqual(trimOffNewlines('unicorns\r\n\r\n\r\n\r\n\r\n\r\n'), 'unicorns');
 });
+
+it('should not be susceptible to exponential backtracking', function () {
+	var start = Date.now();
+	trimOffNewlines('a' + '\r\n'.repeat(1000) + 'a');
+	var end = Date.now();
+	assert.ok(end - start < 1000, 'took too long, probably susceptible to ReDOS');
+});