Skip to content

Commit

Permalink
fix: disable regexp backtracking (#160)
Browse files Browse the repository at this point in the history
  • Loading branch information
satazor committed Nov 18, 2024
1 parent f4af31c commit ba5aaef
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions lib/util/escape.js
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,17 @@ function escapeArgument(arg, doubleEscapeMetaChars) {
arg = `${arg}`;

// Algorithm below is based on https://qntm.org/cmd
// It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
// Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information

// Sequence of backslashes followed by a double quote:
// double up all the backslashes and escape the double quote
arg = arg.replace(/(\\*)"/g, '$1$1\\"');
arg = arg.replace(/(?=(\\+?)?)\1"/g, '$1$1\\"');

// Sequence of backslashes followed by the end of the string
// (which will become a double quote later):
// double up all the backslashes
arg = arg.replace(/(\\*)$/, '$1$1');
arg = arg.replace(/(?=(\\+?)?)\1$/, '$1$1');

// All other backslashes occur literally

Expand Down

0 comments on commit ba5aaef

Please sign in to comment.