Prevent ReDoS

timokoessler · timokoessler · commit 1d0b9fb6d5d0 · 2025-04-22T15:03:57.000+02:00
diff --git a/library/vulnerabilities/path-traversal/containsUnsafePathParts.ts b/library/vulnerabilities/path-traversal/containsUnsafePathParts.ts
@@ -20,5 +20,6 @@ export function containsUnsafePathParts(filePath: string) {
  * See https://url.spec.whatwg.org/#url-parsing
  */
 export function containsUnsafePathPartsUrl(filePath: string) {
-  return /(?:\.(?:\t|\n|\r)*){2}(?:\/|\\)/.test(filePath);
+  const normalized = filePath.replace(/[\t\n\r]/g, "");
+  return containsUnsafePathParts(normalized);
 }

Original file line number	Diff line number	Diff line change
`@@ -20,5 +20,6 @@ export function containsUnsafePathParts(filePath: string) {`
`20`	`20`	`* See https://url.spec.whatwg.org/#url-parsing`
`21`	`21`	`*/`
`22`	`22`	`export function containsUnsafePathPartsUrl(filePath: string) {`
`23`		`- return /(?:\.(?:\t\|\n\|\r)*){2}(?:\/\|\\)/.test(filePath);`
	`23`	`+ const normalized = filePath.replace(/[\t\n\r]/g, "");`
	`24`	`+ return containsUnsafePathParts(normalized);`
`24`	`25`	`}`