CHANGELOG.md

@@ -4,22 +4,27 @@
 
 - eliminate ReDoS ([#36](https://github.com/gulpjs/glob-parent/issues/36)) ([f923116](https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366))
 
-## [6.0.0](https://www.github.com/gulpjs/glob-parent/compare/v5.1.2...v6.0.0) (2021-05-03)
+### [6.0.1](https://www.github.com/gulpjs/glob-parent/compare/v6.0.0...v6.0.1) (2021-07-20)
+
+
+### Bug Fixes
 
+* Resolve ReDoS vulnerability from CVE-2021-35065 ([#49](https://www.github.com/gulpjs/glob-parent/issues/49)) ([3e9f04a](https://www.github.com/gulpjs/glob-parent/commit/3e9f04a3b4349db7e1962d87c9a7398cda51f339))
+
+## [6.0.0](https://www.github.com/gulpjs/glob-parent/compare/v5.1.2...v6.0.0) (2021-05-03)
 
 ### ⚠ BREAKING CHANGES
 
-* Correct mishandled escaped path separators (#34)
-* upgrade scaffold, dropping node <10 support
+- Correct mishandled escaped path separators (#34)
+- upgrade scaffold, dropping node <10 support
 
 ### Bug Fixes
 
-* Correct mishandled escaped path separators ([#34](https://www.github.com/gulpjs/glob-parent/issues/34)) ([32f6d52](https://www.github.com/gulpjs/glob-parent/commit/32f6d52663b7addac38d0dff570d8127edf03f47)), closes [#32](https://www.github.com/gulpjs/glob-parent/issues/32)
-
+- Correct mishandled escaped path separators ([#34](https://www.github.com/gulpjs/glob-parent/issues/34)) ([32f6d52](https://www.github.com/gulpjs/glob-parent/commit/32f6d52663b7addac38d0dff570d8127edf03f47)), closes [#32](https://www.github.com/gulpjs/glob-parent/issues/32)
 
 ### Miscellaneous Chores
 
-* upgrade scaffold, dropping node <10 support ([e83d0c5](https://www.github.com/gulpjs/glob-parent/commit/e83d0c5a411947cf69eb58f36349db80439c606f))
+- upgrade scaffold, dropping node <10 support ([e83d0c5](https://www.github.com/gulpjs/glob-parent/commit/e83d0c5a411947cf69eb58f36349db80439c606f))
 
 ### [5.1.1](https://github.com/gulpjs/glob-parent/compare/v5.1.0...v5.1.1) (2021-01-27)
 

index.js

@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
 
 var slash = '/';
 var backslash = /\\/g;
-var enclosure = /[{[].*\/.*[}\]]$/;
 var globby = /(^|[^\\])([{[]|\([^)]+$)/;
 var escaped = /\\([!*?|[\](){}])/g;
 
@@ -24,7 +23,7 @@ module.exports = function globParent(str, opts) {
   }
 
   // special case for strings ending in enclosure containing path separator
-  if (enclosure.test(str)) {
+  if (isEnclosure(str)) {
     str += slash;
   }
 
@@ -39,3 +38,26 @@ module.exports = function globParent(str, opts) {
   // remove escape chars and return result
   return str.replace(escaped, '$1');
 };
+
+function isEnclosure(str) {
+  var lastChar = str.slice(-1);
+
+  var enclosureStart;
+  switch (lastChar) {
+    case '}':
+      enclosureStart = '{';
+      break;
+    case ']':
+      enclosureStart = '[';
+      break;
+    default:
+      return false;
+  }
+
+  var foundIndex = str.indexOf(enclosureStart);
+  if (foundIndex < 0) {
+    return false;
+  }
+
+  return str.slice(foundIndex + 1, -1).includes(slash);
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "glob-parent",
-  "version": "6.0.0",
+  "version": "6.0.1",
   "description": "Extract the non-magic parent path from a glob string.",
   "author": "Gulp Team <team@gulpjs.com> (https://gulpjs.com/)",
   "contributors": [

test/index.test.js

@@ -224,6 +224,24 @@ describe('glob2base test patterns', function () {
 
     done();
   });
+
+  it("should finish in reasonable time for '{' + '/'.repeat(n) [CVE-2021-35065]", function (done) {
+    this.timeout(1000);
+    gp('{' + '/'.repeat(500000));
+    done();
+  });
+
+  it("should finish in reasonable time for '{'.repeat(n)", function (done) {
+    this.timeout(1000);
+    gp('{'.repeat(500000));
+    done();
+  });
+
+  it("should finish in reasonable time for '('.repeat(n)", function (done) {
+    this.timeout(1000);
+    gp('('.repeat(500000));
+    done();
+  });
 });
 
 if (isWin32) {