fix: eliminate ReDoS (#36)

Trott · web-flow · commit f9231168b004 · 2021-03-06T14:16:16.000-07:00
This change fixes a regular expression denial of service vulnerability. Refs: #32 Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
diff --git a/index.js b/index.js
@@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32';
 
 var slash = '/';
 var backslash = /\\/g;
-var enclosure = /[\{\[].*[\/]*.*[\}\]]$/;
+var enclosure = /[\{\[].*[\}\]]$/;
 var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
 var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
 
diff --git a/test/index.test.js b/test/index.test.js
@@ -209,6 +209,13 @@ describe('glob2base test patterns', function() {
 
     done();
   });
+
+  it('should not be susceptible to SNYK-JS-GLOBPARENT-1016905', function(done) {
+    // This will time out if susceptible.
+    gp('{' + '/'.repeat(5000));
+
+    done();
+  });
 });
 
 if (isWin32) {
