gulpjs · phated · Jul 20, 2021 · Jun 24, 2021 · Jun 24, 2021 · Jun 26, 2021
diff --git a/index.js b/index.js
@@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32';
 
 var slash = '/';
 var backslash = /\\/g;
-var enclosure = /[{[].*\/.*[}\]]$/;
+var enclosure = /[{[][^/\r\n\u2028\u2029]*\/.*[}\]]$/;
-var enclosure = /[{[][^/\r\n\u2028\u2029]*\/.*[}\]]$/;
+var enclosure = /[{[][^/]*\/.*[}\]]$/;
-var enclosure = /[{[][^/\r\n\u2028\u2029]*\/.*[}\]]$/;
+var enclosure = /[{[][^/]*\/.*[}\]]$/;
 var globby = /(^|[^\\])([{[]|\([^)]+$)/;
 var escaped = /\\([!*?|[\](){}])/g;
 

diff --git a/test/index.test.js b/test/index.test.js
@@ -4,6 +4,8 @@ var gp = require('../');
 var expect = require('expect');
 var isWin32 = require('os').platform() === 'win32';
 
+var performance = require('perf_hooks').performance;
+
 describe('glob-parent', function () {
   it('should strip glob magic to return parent path', function (done) {
     expect(gp('.')).toEqual('.');
@@ -224,6 +226,26 @@ describe('glob2base test patterns', function () {
 
     done();
   });
+
+  it('should not increase calc. time exponentially by \'/\' count [CVE-2021-35065]', function (done) {
+    var measure = function(n) {
+      var input = "{" + "/".repeat(n);
+      var st = performance.now();
+      gp(input);
+      var ed = performance.now();
+      return (ed - st) / (n * n);
+    };
+
+    var result0 = measure(5000);
+
+    [50000, 500000].forEach(function(n) {
+      var result1 = measure(n);
+      expect(result1 / result0).toBeLessThan(0.9);
+      result0 = result1;
+    });
+
+    done();
+  });
 });
 
 if (isWin32) {