fix: Regular Expression Denial of Service (ReDoS)

lib/helpers/combineURLs.js

@@ -10,6 +10,6 @@
  */
 export default function combineURLs(baseURL, relativeURL) {
   return relativeURL
-    ? baseURL.replace(/\/+$/, '') + '/' + relativeURL.replace(/^\/+/, '')
+    ? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '')
     : baseURL;
 }

test/specs/defaults.spec.js

@@ -178,10 +178,25 @@ describe('defaults', function () {
     const instance = axios.create();
     axios.defaults.baseURL = 'http://example.org/';
 
+    instance.get('/foo/users');
+
+    getAjaxRequest().then(function (request) {
+      expect(request.url).toBe('/foo/users');
+      done();
+    });
+  });
+
+  it('should resistent to ReDoS attack', function (done) {
+    const instance = axios.create();
+    const start = performance.now();
+    const slashes = '/'.repeat(100000);
+    instance.defaults.baseURL = '/' + slashes + 'bar/';
     instance.get('/foo');
 
     getAjaxRequest().then(function (request) {
-      expect(request.url).toBe('/foo');
+      const elapsedTimeMs = performance.now() - start;
+      expect(elapsedTimeMs).toBeLessThan(20);
+      expect(request.url).toBe('/' + slashes + 'bar/foo');
       done();
     });
   });