minimatch 5.1.8 → 5.1.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +37 -0
- package/minimatch.js +4 -4
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -10,6 +10,43 @@ This is the matching library used internally by npm.
|
|
|
10
10
|
It works by converting glob expressions into JavaScript `RegExp`
|
|
11
11
|
objects.
|
|
12
12
|
|
|
13
|
+
## Important Security Consideration!
|
|
14
|
+
|
|
15
|
+
> [!WARNING]
|
|
16
|
+
> This library uses JavaScript regular expressions. Please read
|
|
17
|
+
> the following warning carefully, and be thoughtful about what
|
|
18
|
+
> you provide to this library in production systems.
|
|
19
|
+
|
|
20
|
+
_Any_ library in JavaScript that deals with matching string
|
|
21
|
+
patterns using regular expressions will be subject to
|
|
22
|
+
[ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
|
23
|
+
if the pattern is generated using untrusted input.
|
|
24
|
+
|
|
25
|
+
Efforts have been made to mitigate risk as much as is feasible in
|
|
26
|
+
such a library, providing maximum recursion depths and so forth,
|
|
27
|
+
but these measures can only ultimately protect against accidents,
|
|
28
|
+
not malice. A dedicated attacker can _always_ find patterns that
|
|
29
|
+
cannot be defended against by a bash-compatible glob pattern
|
|
30
|
+
matching system that uses JavaScript regular expressions.
|
|
31
|
+
|
|
32
|
+
To be extremely clear:
|
|
33
|
+
|
|
34
|
+
> [!WARNING]
|
|
35
|
+
> **If you create a system where you take user input, and use
|
|
36
|
+
> that input as the source of a Regular Expression pattern, in
|
|
37
|
+
> this or any extant glob matcher in JavaScript, you will be
|
|
38
|
+
> pwned.**
|
|
39
|
+
|
|
40
|
+
A future version of this library _may_ use a different matching
|
|
41
|
+
algorithm which does not exhibit backtracking problems. If and
|
|
42
|
+
when that happens, it will likely be a sweeping change, and those
|
|
43
|
+
improvements will **not** be backported to legacy versions.
|
|
44
|
+
|
|
45
|
+
In the near term, it is not reasonable to continue to play
|
|
46
|
+
whack-a-mole with security advisories, and so any future ReDoS
|
|
47
|
+
reports will be considered "working as intended", and resolved
|
|
48
|
+
entirely by this warning.
|
|
49
|
+
|
|
13
50
|
## Usage
|
|
14
51
|
|
|
15
52
|
```javascript
|
package/minimatch.js
CHANGED
|
@@ -277,8 +277,8 @@ class Minimatch {
|
|
|
277
277
|
}
|
|
278
278
|
|
|
279
279
|
const head = pattern.slice(patternIndex, firstgs)
|
|
280
|
-
const body = pattern.slice(firstgs + 1, lastgs)
|
|
281
|
-
const tail = pattern.slice(lastgs + 1)
|
|
280
|
+
const body = partial ? pattern.slice(firstgs + 1) : pattern.slice(firstgs + 1, lastgs)
|
|
281
|
+
const tail = partial ? [] : pattern.slice(lastgs + 1)
|
|
282
282
|
|
|
283
283
|
// check the head
|
|
284
284
|
if (head.length) {
|
|
@@ -321,7 +321,7 @@ class Minimatch {
|
|
|
321
321
|
return false
|
|
322
322
|
}
|
|
323
323
|
}
|
|
324
|
-
return sawSome
|
|
324
|
+
return partial || sawSome
|
|
325
325
|
}
|
|
326
326
|
|
|
327
327
|
// split body into segments at each GLOBSTAR
|
|
@@ -398,7 +398,7 @@ class Minimatch {
|
|
|
398
398
|
}
|
|
399
399
|
fileIndex++
|
|
400
400
|
}
|
|
401
|
-
return null
|
|
401
|
+
return partial || null
|
|
402
402
|
}
|
|
403
403
|
|
|
404
404
|
_matchOne (file, pattern, partial, fileIndex, patternIndex) {
|