fix ReDoS vulnerability

Trott · Trott · commit 791b7d8ea180 · 2018-10-24T22:38:38.000-07:00
diff --git a/.travis.yml b/.travis.yml
@@ -2,5 +2,5 @@ before_script: "npm install --dev"
 script: "npm test"
 language: node_js
 node_js:
-    - 0.8
-    - 0.10
+    - node
+    - lts/*
diff --git a/package.json b/package.json
@@ -1,23 +1,41 @@
-{ "name": "slug"
-, "description": "slugifies even utf-8 chars!"
-, "version": "0.9.1"
-, "homepage": "https://github.com/dodo/node-slug"
-, "author": "dodo (https://github.com/dodo)"
-, "repository": {"type": "git", "url": "git://github.com/dodo/node-slug.git"}
-, "main": "slug.js"
-, "engines": {"node": ">= 0.4.x"}
-, "keywords": ["slugify", "slug", "string", "utf8", "utf-8", "unicode", "url"]
-, "scripts": {
-    "test": "./node_modules/.bin/mocha ./test/*.test.* --require should --reporter spec --colors --compilers coffee:coffee-script/register"}
-, "dependencies": {
-    "unicode": ">= 0.3.1"}
-, "devDependencies": {
-    "mocha": "~1.17.1",
-    "should": "~3.1.2",
-    "coffee-script": "~1.7.1"}
-, "bin": {
-    "slug": "bin/slug.js"}
-, "licenses" : [
-    { "type": "MIT" ,
-      "url": "http://github.com/dodo/node-slug/raw/master/LICENSE"} ]
+{
+    "name": "slug",
+    "description": "slugifies even utf-8 chars!",
+    "version": "0.9.1",
+    "homepage": "https://github.com/Trott/node-slug",
+    "author": "dodo (https://github.com/dodo)",
+    "repository": {
+        "type": "git",
+        "url": "git://github.com/Trott/node-slug.git"
+    },
+    "main": "slug.js",
+    "keywords": [
+        "slugify",
+        "slug",
+        "string",
+        "utf8",
+        "utf-8",
+        "unicode",
+        "url"
+    ],
+    "scripts": {
+        "test": "./node_modules/.bin/mocha ./test/*.test.* --require should --reporter spec --colors --compilers coffee:coffee-script/register"
+    },
+    "dependencies": {
+        "unicode": ">= 0.3.1"
+    },
+    "devDependencies": {
+        "coffee-script": "~1.7.1",
+        "mocha": "^5.2.0",
+        "should": "~3.1.2"
+    },
+    "bin": {
+        "slug": "bin/slug.js"
+    },
+    "licenses": [
+        {
+            "type": "MIT",
+            "url": "http://github.com/Trott/node-slug/raw/master/LICENSE"
+        }
+    ]
 }
diff --git a/slug.js b/slug.js
@@ -54,14 +54,14 @@ function slug(string, opts) {
                 for(var j = 0, rl = removelist.length; j < rl; j++) {
                     char = char.replace(removelist[j], '');
                 }
-                char = char.replace(/^\s+|\s+$/g, '');
+                char = char.trim();
             }
         }
         char = char.replace(/[^\w\s\-\.\_~]/g, ''); // allowed
         if (opts.remove) char = char.replace(opts.remove, ''); // add flavour
         result += char;
     }
-    result = result.replace(/^\s+|\s+$/g, ''); // trim leading/trailing spaces
+    result = result.trim();
     result = result.replace(/[-\s]+/g, opts.replacement); // convert spaces
     result = result.replace(opts.replacement+"$",''); // remove trailing separator
     if (opts.lower)

Original file line number	Diff line number	Diff line change
`@@ -54,14 +54,14 @@ function slug(string, opts) {`
`54`	`54`	`for(var j = 0, rl = removelist.length; j < rl; j++) {`
`55`	`55`	`char = char.replace(removelist[j], '');`
`56`	`56`	`}`
`57`		`- char = char.replace(/^\s+\|\s+$/g, '');`
	`57`	`+ char = char.trim();`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`	`char = char.replace(/[^\w\s\-\.\_~]/g, ''); // allowed`
`61`	`61`	`if (opts.remove) char = char.replace(opts.remove, ''); // add flavour`
`62`	`62`	`result += char;`
`63`	`63`	`}`
`64`		`- result = result.replace(/^\s+\|\s+$/g, ''); // trim leading/trailing spaces`
	`64`	`+ result = result.trim();`
`65`	`65`	`result = result.replace(/[-\s]+/g, opts.replacement); // convert spaces`
`66`	`66`	`result = result.replace(opts.replacement+"$",''); // remove trailing separator`
`67`	`67`	`if (opts.lower)`