find-my-way - npm Package Compare versions

Comparing version 9.0.0 to 9.0.1

index.js

@@ -195,2 +195,4 @@ 'use strict'
       let isRegexNode = false
+      let isParamSafe = true
+      let backtrack = ''
       const regexps = []
@@ -223,4 +225,6 @@
             j = endOfRegexIndex + 1
+            isParamSafe = true
           } else {
-            regexps.push('(.*?)')
+            regexps.push(isParamSafe ? '(.*?)' : `(${backtrack}|(?:(?!${backtrack}).)*)`)
+            isParamSafe = false
           }
@@ -243,3 +247,3 @@
             staticPart = staticPart.split('%').join('%25')
-            regexps.push(escapeRegExp(staticPart))
+            regexps.push(backtrack = escapeRegExp(staticPart))
           }
@@ -341,2 +345,4 @@
       let isRegexNode = false
+      let isParamSafe = true
+      let backtrack = ''
       const regexps = []
@@ -351,2 +357,3 @@
         const isEndOfNode = charCode === 47 || j === pattern.length
+
         if (isRegexParam || isStaticPart || isEndOfNode) {
@@ -369,4 +376,6 @@ const paramName = pattern.slice(lastParamStartIndex, j)
             j = endOfRegexIndex + 1
+            isParamSafe = false
           } else {
-            regexps.push('(.*?)')
+            regexps.push(isParamSafe ? '(.*?)' : `(${backtrack}|(?:(?!${backtrack}).)*)`)
+            isParamSafe = false
           }
@@ -389,3 +398,3 @@
             staticPart = staticPart.split('%').join('%25')
-            regexps.push(escapeRegExp(staticPart))
+            regexps.push(backtrack = escapeRegExp(staticPart))
           }
@@ -392,0 +401,0 @@

package.json

 {
   "name": "find-my-way",
-  "version": "9.0.0",
+  "version": "9.0.1",
   "description": "Crazy fast http radix based router",
@@ -5,0 +5,0 @@ "main": "index.js",

test/issue-17.test.js

@@ -135,4 +135,4 @@ 'use strict'
   findMyWay.on('GET', '/a/:p1-:p2', (req, res, params) => {
-    t.equal(params.p1, 'foo')
-    t.equal(params.p2, 'bar-baz')
+    t.equal(params.p1, 'foo-bar')
+    t.equal(params.p2, 'baz')
   })
@@ -139,0 +139,0 @@

test/optional-params.test.js

@@ -71,4 +71,4 @@ 'use strict'
     if (params.p1 && params.p2) {
-      t.equal(params.p1, 'foo')
-      t.equal(params.p2, 'bar-baz')
+      t.equal(params.p1, 'foo-bar')
+      t.equal(params.p2, 'baz')
     }
@@ -75,0 +75,0 @@ })

test/regex.test.js

@@ -258,1 +258,15 @@ 'use strict'
 })
+
+test('prevent back-tracking', (t) => {
+  t.plan(0)
+  t.setTimeout(20)
+
+  const findMyWay = FindMyWay({
+    defaultRoute: () => {
+      t.fail('route not matched')
+    }
+  })
+
+  findMyWay.on('GET', '/:foo-:bar-', (req, res, params) => {})
+  findMyWay.find('GET', '/' + '-'.repeat(16_000) + 'a', { host: 'fastify.io' })
+})

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

385804

increased by0.18%

Lines of code

9610

increased by0.2%

No dependency changes