Fix ReDoS vulnerabilities and add input validation

- Add bounded quantifiers to regex patterns to prevent ReDoS
- Add 1MB size limit and object validation to fromJSON
- Add 4096 char limit to parseString for package URLs
- Prevent prototype pollution in JSON parsing

Author: jdalton

src/package-url.ts

@@ -31,7 +31,6 @@ SOFTWARE.
 import { decodePurlComponent } from './decode.js'
 import { PurlError } from './error.js'
 import { isObject, recursiveFreeze } from './objects.js'
-import { PackageURLBuilder } from './package-url-builder.js'
 import { PurlComponent } from './purl-component.js'
 import { PurlQualifierNames } from './purl-qualifier-names.js'
 import { PurlType } from './purl-type.js'
@@ -68,10 +67,12 @@ export type PackageURLObject = {
 }
 
 // Pattern to match URLs with schemes other than "pkg".
-const OTHER_SCHEME_PATTERN = /^[a-zA-Z][a-zA-Z0-9+.-]*:\/\//
+// Limited to 256 chars for scheme to prevent ReDoS.
+const OTHER_SCHEME_PATTERN = /^[a-zA-Z][a-zA-Z0-9+.-]{0,255}:\/\//
 
 // Pattern to match purl-like strings with type/name format.
-const PURL_LIKE_PATTERN = /^[a-zA-Z0-9+.-]+\//
+// Limited to 256 chars for type to prevent ReDoS.
+const PURL_LIKE_PATTERN = /^[a-zA-Z0-9+.-]{1,256}\//
 
 /**
  * Package URL parser and constructor implementing the PURL specification.
@@ -255,11 +256,39 @@ class PackageURL {
     if (typeof json !== 'string') {
       throw new Error('JSON string argument is required.')
     }
+
+    // Size limit: 1MB to prevent memory exhaustion.
+    const MAX_JSON_SIZE = 1024 * 1024
+    if (json.length > MAX_JSON_SIZE) {
+      throw new Error(
+        `JSON string exceeds maximum size limit of ${MAX_JSON_SIZE} bytes.`,
+      )
+    }
+
+    let parsed
     try {
-      return PackageURL.fromObject(JSON.parse(json))
+      parsed = JSON.parse(json)
     } catch (e) {
       throw new Error('Invalid JSON string.', { cause: e })
     }
+
+    // Validate parsed result is an object.
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+      throw new Error('JSON must parse to an object.')
+    }
+
+    // Create a safe object without prototype chain to prevent prototype pollution.
+    const safeObject: PackageURLObject = {
+      __proto__: null,
+      type: parsed.type,
+      namespace: parsed.namespace,
+      name: parsed.name,
+      version: parsed.version,
+      qualifiers: parsed.qualifiers,
+      subpath: parsed.subpath,
+    } as PackageURLObject
+
+    return PackageURL.fromObject(safeObject)
   }
 
   /**
@@ -302,6 +331,15 @@ class PackageURL {
       return [undefined, undefined, undefined, undefined, undefined, undefined]
     }
 
+    // Input length validation to prevent DoS.
+    // Reasonable limit for a package URL.
+    const MAX_PURL_LENGTH = 4096
+    if (purlStr.length > MAX_PURL_LENGTH) {
+      throw new Error(
+        `Package URL exceeds maximum length of ${MAX_PURL_LENGTH} characters.`,
+      )
+    }
+
     // If the string doesn't start with "pkg:" but looks like a purl format, prepend "pkg:" and try parsing.
     if (!purlStr.startsWith('pkg:')) {
       // Only auto-prepend "pkg:" if the string looks like a purl (contains a type/name pattern)
@@ -484,7 +522,6 @@ export {
   Err,
   Ok,
   PackageURL,
-  PackageURLBuilder,
   PurlComponent,
   PurlQualifierNames,
   PurlType,