Skip to content

Commit d31670a

Browse files
blakeembreyblakeembrey
authoredSep 10, 2024
Add backtrack protection to 3.x release (#321)
·
v3.3.0
1 parent 6d2e8db commit d31670a

File tree

3 files changed

+2358
-1564
lines changed

3 files changed

+2358
-1564
lines changed
 

‎index.js

+12-1
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,7 @@ function parse (str, options) {
9090
var optional = modifier === '?' || modifier === '*'
9191
var pattern = capture || group
9292
var delimiter = prev || defaultDelimiter
93+
var prevText = prev || (typeof tokens[tokens.length - 1] === 'string' ? tokens[tokens.length - 1] : '')
9394

9495
tokens.push({
9596
name: name || key++,
@@ -99,7 +100,7 @@ function parse (str, options) {
99100
repeat: repeat,
100101
pattern: pattern
101102
? escapeGroup(pattern)
102-
: '[^' + escapeString(delimiter === defaultDelimiter ? delimiter : (delimiter + defaultDelimiter)) + ']+?'
103+
: restrictBacktrack(delimiter, defaultDelimiter, prevText)
103104
})
104105
}
105106

@@ -111,6 +112,16 @@ function parse (str, options) {
111112
return tokens
112113
}
113114

115+
function restrictBacktrack (delimiter, defaultDelimiter, prevText) {
116+
var charGroup = '[^' + escapeString(delimiter === defaultDelimiter ? delimiter : (delimiter + defaultDelimiter)) + ']'
117+
118+
if (!prevText || prevText.indexOf(delimiter) > -1 || prevText.indexOf(defaultDelimiter) > -1) {
119+
return charGroup + '+?'
120+
}
121+
122+
return escapeString(prevText) + '|(?:(?!' + escapeString(prevText) + ')' + charGroup + ')+?'
123+
}
124+
114125
/**
115126
* Compile a string to a template function for the path.
116127
*

‎package-lock.json

+2,343-1,560
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎test.ts

+3-3
Original file line numberDiff line numberDiff line change
@@ -2206,7 +2206,7 @@ var TESTS: Test[] = [
22062206
delimiter: '/',
22072207
optional: true,
22082208
repeat: false,
2209-
pattern: '[^\\/]+?'
2209+
pattern: '\\(|(?:(?!\\()[^\\/])+?'
22102210
},
22112211
')'
22122212
],
@@ -2633,7 +2633,7 @@ var TESTS: Test[] = [
26332633
delimiter: '/',
26342634
name: 'attr2',
26352635
optional: true,
2636-
pattern: '[^\\/]+?',
2636+
pattern: '-|(?:(?!-)[^\\/])+?',
26372637
prefix: '',
26382638
repeat: false
26392639
}
@@ -2642,7 +2642,7 @@ var TESTS: Test[] = [
26422642
['name/1', null],
26432643
['name/1-', ['name/1-', '1', undefined]],
26442644
['name/1-2', ['name/1-2', '1', '2']],
2645-
['name/1-2-3', ['name/1-2-3', '1', '2-3']],
2645+
['name/1-2-3', ['name/1-2-3', '1-2', '3']],
26462646
['name/foo-bar/route', null],
26472647
['name/test/route', null]
26482648
],

0 commit comments

Comments
 (0)
Please sign in to comment.