minimatch 3.1.4 → 3.1.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +37 -0
- package/minimatch.js +4 -4
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -10,6 +10,43 @@ This is the matching library used internally by npm.
|
|
|
10
10
|
It works by converting glob expressions into JavaScript `RegExp`
|
|
11
11
|
objects.
|
|
12
12
|
|
|
13
|
+
## Important Security Consideration!
|
|
14
|
+
|
|
15
|
+
> [!WARNING]
|
|
16
|
+
> This library uses JavaScript regular expressions. Please read
|
|
17
|
+
> the following warning carefully, and be thoughtful about what
|
|
18
|
+
> you provide to this library in production systems.
|
|
19
|
+
|
|
20
|
+
_Any_ library in JavaScript that deals with matching string
|
|
21
|
+
patterns using regular expressions will be subject to
|
|
22
|
+
[ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
|
23
|
+
if the pattern is generated using untrusted input.
|
|
24
|
+
|
|
25
|
+
Efforts have been made to mitigate risk as much as is feasible in
|
|
26
|
+
such a library, providing maximum recursion depths and so forth,
|
|
27
|
+
but these measures can only ultimately protect against accidents,
|
|
28
|
+
not malice. A dedicated attacker can _always_ find patterns that
|
|
29
|
+
cannot be defended against by a bash-compatible glob pattern
|
|
30
|
+
matching system that uses JavaScript regular expressions.
|
|
31
|
+
|
|
32
|
+
To be extremely clear:
|
|
33
|
+
|
|
34
|
+
> [!WARNING]
|
|
35
|
+
> **If you create a system where you take user input, and use
|
|
36
|
+
> that input as the source of a Regular Expression pattern, in
|
|
37
|
+
> this or any extant glob matcher in JavaScript, you will be
|
|
38
|
+
> pwned.**
|
|
39
|
+
|
|
40
|
+
A future version of this library _may_ use a different matching
|
|
41
|
+
algorithm which does not exhibit backtracking problems. If and
|
|
42
|
+
when that happens, it will likely be a sweeping change, and those
|
|
43
|
+
improvements will **not** be backported to legacy versions.
|
|
44
|
+
|
|
45
|
+
In the near term, it is not reasonable to continue to play
|
|
46
|
+
whack-a-mole with security advisories, and so any future ReDoS
|
|
47
|
+
reports will be considered "working as intended", and resolved
|
|
48
|
+
entirely by this warning.
|
|
49
|
+
|
|
13
50
|
## Usage
|
|
14
51
|
|
|
15
52
|
```javascript
|
package/minimatch.js
CHANGED
|
@@ -811,8 +811,8 @@ Minimatch.prototype._matchGlobstar = function (file, pattern, partial, fileIndex
|
|
|
811
811
|
}
|
|
812
812
|
|
|
813
813
|
var head = pattern.slice(patternIndex, firstgs)
|
|
814
|
-
var body = pattern.slice(firstgs + 1, lastgs)
|
|
815
|
-
var tail = pattern.slice(lastgs + 1)
|
|
814
|
+
var body = partial ? pattern.slice(firstgs + 1) : pattern.slice(firstgs + 1, lastgs)
|
|
815
|
+
var tail = partial ? [] : pattern.slice(lastgs + 1)
|
|
816
816
|
|
|
817
817
|
// check the head
|
|
818
818
|
if (head.length) {
|
|
@@ -856,7 +856,7 @@ Minimatch.prototype._matchGlobstar = function (file, pattern, partial, fileIndex
|
|
|
856
856
|
return false
|
|
857
857
|
}
|
|
858
858
|
}
|
|
859
|
-
return sawSome
|
|
859
|
+
return partial || sawSome
|
|
860
860
|
}
|
|
861
861
|
|
|
862
862
|
// split body into segments at each GLOBSTAR
|
|
@@ -936,7 +936,7 @@ Minimatch.prototype._matchGlobStarBodySections = function (
|
|
|
936
936
|
}
|
|
937
937
|
fileIndex++
|
|
938
938
|
}
|
|
939
|
-
return null
|
|
939
|
+
return partial || null
|
|
940
940
|
}
|
|
941
941
|
|
|
942
942
|
Minimatch.prototype._matchOne = function (file, pattern, partial, fileIndex, patternIndex) {
|