fix(isSlug & rtrim): regex no longer exposed to ReDOS attacks (#1603)

fedeci · web-flow · commit 6d87bfe20c54 · 2021-03-03T13:49:47.000+03:00
diff --git a/src/lib/isSlug.js b/src/lib/isSlug.js
@@ -1,6 +1,6 @@
 import assertString from './util/assertString';
 
-let charsetRegex = /^[^\s-_](?!.*?[-_]{2,})([a-z0-9-\\]{1,})[^\s]*[^-_\s]$/;
+let charsetRegex = /^[^\s-_](?!.*?[-_]{2,})[a-z0-9-\\][^\s]*[^-_\s]$/;
 
 export default function isSlug(str) {
   assertString(str);
diff --git a/src/lib/rtrim.js b/src/lib/rtrim.js
@@ -3,6 +3,6 @@ import assertString from './util/assertString';
 export default function rtrim(str, chars) {
   assertString(str);
   // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping
-  const pattern = chars ? new RegExp(`[${chars.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}]+$`, 'g') : /\s+$/g;
+  const pattern = chars ? new RegExp(`[${chars.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}]+$`, 'g') : /(\s)+$/g;
   return str.replace(pattern, '');
 }

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,6 @@ import assertString from './util/assertString';`
`3`	`3`	`export default function rtrim(str, chars) {`
`4`	`4`	`assertString(str);`
`5`	`5`	`// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping`
`6`		- const pattern = chars ? new RegExp(`[${chars.replace(/[.*+?^${}()\|[\]\\]/g, '\\$&')}]+$`, 'g') : /\s+$/g;
	`6`	+ const pattern = chars ? new RegExp(`[${chars.replace(/[.*+?^${}()\|[\]\\]/g, '\\$&')}]+$`, 'g') : /(\s)+$/g;
`7`	`7`	`return str.replace(pattern, '');`
`8`	`8`	`}`