fix: Resolve ReDoS vulnerability from CVE-2021-35065 (#49)

Author: sttk

index.js

@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
 
 var slash = '/';
 var backslash = /\\/g;
-var enclosure = /[{[].*\/.*[}\]]$/;
 var globby = /(^|[^\\])([{[]|\([^)]+$)/;
 var escaped = /\\([!*?|[\](){}])/g;
 
@@ -24,7 +23,7 @@ module.exports = function globParent(str, opts) {
   }
 
   // special case for strings ending in enclosure containing path separator
-  if (enclosure.test(str)) {
+  if (isEnclosure(str)) {
     str += slash;
   }
 
@@ -39,3 +38,27 @@ module.exports = function globParent(str, opts) {
   // remove escape chars and return result
   return str.replace(escaped, '$1');
 };
+
+
+function isEnclosure(str) {
+  var lastChar = str.slice(-1)
+
+  var enclosureStart;
+  switch (lastChar) {
+    case '}':
+      enclosureStart = '{';
+      break;
+    case ']':
+      enclosureStart = '[';
+      break;
+    default:
+      return false;
+  }
+
+  var foundIndex = str.indexOf(enclosureStart);
+  if (foundIndex < 0) {
+    return false;
+  }
+
+  return str.slice(foundIndex + 1, -1).includes(slash);
+}

test/index.test.js

@@ -224,6 +224,24 @@ describe('glob2base test patterns', function () {
 
     done();
   });
+
+  it('should finish in reasonable time for \'{\' + \'/\'.repeat(n) [CVE-2021-35065]', function(done) {
+    this.timeout(1000);
+    gp('{' + '/'.repeat(500000));
+    done();
+  });
+
+  it('should finish in reasonable time for \'{\'.repeat(n)', function(done) {
+    this.timeout(1000);
+    gp('{'.repeat(500000));
+    done();
+  });
+
+  it('should finish in reasonable time for \'(\'.repeat(n)', function(done) {
+    this.timeout(1000);
+    gp('('.repeat(500000));
+    done();
+  });
 });
 
 if (isWin32) {