Improve performance of toNumber, trim and trimEnd on large input strings

This prevents potential ReDoS attacks using `_.toNumber` and `_.trim*` as potential attack vectors. Closes #5065.
2026-02-04 08:57:49 +00:00 · 2021-01-26 23:17:05 +01:00
parent 3469357cff
commit c4847ebe7d
2 changed files with 68 additions and 7 deletions
--- a/test/test.js
+++ b/test/test.js
@@ -23783,6 +23783,22 @@

      assert.deepEqual(actual, expected);
    });
+
+    QUnit.test('`_.`' + methodName + '` should prevent ReDoS', function(assert) {
+      assert.expect(2);
+
+      var largeStrLen = 50000,
+          largeStr = '1' + lodashStable.repeat(' ', largeStrLen) + '1',
+          maxMs = 1000,
+          startTime = lodashStable.now();
+
+      assert.deepEqual(_[methodName](largeStr), methodName == 'toNumber' ? NaN : 0);
+
+      var endTime = lodashStable.now(),
+          timeSpent = endTime - startTime;
+
+      assert.ok(timeSpent < maxMs, 'operation took ' + timeSpent + 'ms');
+    });
  });

  /*--------------------------------------------------------------------------*/
@@ -24368,6 +24384,22 @@
      assert.strictEqual(func(string, ''), string);
    });

+    QUnit.test('`_.`' + methodName + '` should prevent ReDoS', function(assert) {
+      assert.expect(2);
+
+      var largeStrLen = 50000,
+          largeStr = 'A' + lodashStable.repeat(' ', largeStrLen) + 'A',
+          maxMs = 1000,
+          startTime = lodashStable.now();
+
+      assert.strictEqual(_[methodName](largeStr), largeStr);
+
+      var endTime = lodashStable.now(),
+          timeSpent = endTime - startTime;
+
+      assert.ok(timeSpent < maxMs, 'operation took ' + timeSpent + 'ms');
+    });
+
    QUnit.test('`_.' + methodName + '` should work as an iteratee for methods like `_.map`', function(assert) {
      assert.expect(1);