limit recursion for **, improve perf considerably

isaacs · isaacs · commit 79e44472e457 · 2026-02-24T12:11:25.000-08:00
This limits the levels of recursion allowed when encountering multiple non-adjacent `**` portions of a pattern. Update `**` handling, with performance massively improved by limiting the recursive walk much more aggressively. When a `**` portion is present, the entire pattern is split up into sections. The head and tail first have to match, and then each subsequent portion is only tested in the part of the file where it might actually be found, taking advantage of the fact that non-globstar portions must always consume as many path portions as there are pattern portions. Fix: GHSA-7r86-cg39-jmmj Backported 0bf499a to v5
diff --git a/minimatch.js b/minimatch.js
@@ -168,6 +168,8 @@ class Minimatch {
     if (!options) options = {}
 
     this.options = options
+    this.maxGlobstarRecursion = options.maxGlobstarRecursion !== undefined
+      ? options.maxGlobstarRecursion : 200
     this.set = []
     this.pattern = pattern
     this.windowsPathsNoEscape = !!options.windowsPathsNoEscape ||
@@ -255,114 +257,172 @@ class Minimatch {
   // out of pattern, then that's fine, as long as all
   // the parts match.
   matchOne (file, pattern, partial) {
-    var options = this.options
+    if (pattern.indexOf(GLOBSTAR) !== -1) {
+      return this._matchGlobstar(file, pattern, partial, 0, 0)
+    }
+    return this._matchOne(file, pattern, partial, 0, 0)
+  }
 
-    this.debug('matchOne',
-      { 'this': this, file: file, pattern: pattern })
+  _matchGlobstar (file, pattern, partial, fileIndex, patternIndex) {
+    // find first globstar from patternIndex
+    let firstgs = -1
+    for (let i = patternIndex; i < pattern.length; i++) {
+      if (pattern[i] === GLOBSTAR) { firstgs = i; break }
+    }
 
-    this.debug('matchOne', file.length, pattern.length)
+    // find last globstar
+    let lastgs = -1
+    for (let i = pattern.length - 1; i >= 0; i--) {
+      if (pattern[i] === GLOBSTAR) { lastgs = i; break }
+    }
 
-    for (var fi = 0,
-        pi = 0,
-        fl = file.length,
-        pl = pattern.length
-        ; (fi < fl) && (pi < pl)
-        ; fi++, pi++) {
-      this.debug('matchOne loop')
-      var p = pattern[pi]
-      var f = file[fi]
+    const head = pattern.slice(patternIndex, firstgs)
+    const body = pattern.slice(firstgs + 1, lastgs)
+    const tail = pattern.slice(lastgs + 1)
 
-      this.debug(pattern, p, f)
+    // check the head
+    if (head.length) {
+      const fileHead = file.slice(fileIndex, fileIndex + head.length)
+      if (!this._matchOne(fileHead, head, partial, 0, 0)) {
+        return false
+      }
+      fileIndex += head.length
+    }
 
-      // should be impossible.
-      // some invalid regexp stuff in the set.
-      /* istanbul ignore if */
-      if (p === false) return false
-
-      if (p === GLOBSTAR) {
-        this.debug('GLOBSTAR', [pattern, p, f])
-
-        // "**"
-        // a/**/b/**/c would match the following:
-        // a/b/x/y/z/c
-        // a/x/y/z/b/c
-        // a/b/x/b/x/c
-        // a/b/c
-        // To do this, take the rest of the pattern after
-        // the **, and see if it would match the file remainder.
-        // If so, return success.
-        // If not, the ** "swallows" a segment, and try again.
-        // This is recursively awful.
-        //
-        // a/**/b/**/c matching a/b/x/y/z/c
-        // - a matches a
-        // - doublestar
-        //   - matchOne(b/x/y/z/c, b/**/c)
-        //     - b matches b
-        //     - doublestar
-        //       - matchOne(x/y/z/c, c) -> no
-        //       - matchOne(y/z/c, c) -> no
-        //       - matchOne(z/c, c) -> no
-        //       - matchOne(c, c) yes, hit
-        var fr = fi
-        var pr = pi + 1
-        if (pr === pl) {
-          this.debug('** at the end')
-          // a ** at the end will just swallow the rest.
-          // We have found a match.
-          // however, it will not swallow /.x, unless
-          // options.dot is set.
-          // . and .. are *never* matched by **, for explosively
-          // exponential reasons.
-          for (; fi < fl; fi++) {
-            if (file[fi] === '.' || file[fi] === '..' ||
-              (!options.dot && file[fi].charAt(0) === '.')) return false
-          }
-          return true
+    // check the tail
+    let fileTailMatch = 0
+    if (tail.length) {
+      if (tail.length + fileIndex > file.length) return false
+
+      const tailStart = file.length - tail.length
+      if (this._matchOne(file, tail, partial, tailStart, 0)) {
+        fileTailMatch = tail.length
+      } else {
+        // affordance for stuff like a/**/* matching a/b/
+        if (file[file.length - 1] !== '' ||
+            fileIndex + tail.length === file.length) {
+          return false
+        }
+        if (!this._matchOne(file, tail, partial, tailStart - 1, 0)) {
+          return false
         }
+        fileTailMatch = tail.length + 1
+      }
+    }
 
-        // ok, let's see if we can swallow whatever we can.
-        while (fr < fl) {
-          var swallowee = file[fr]
+    // if body is empty (single ** between head and tail)
+    if (!body.length) {
+      let sawSome = !!fileTailMatch
+      for (let i = fileIndex; i < file.length - fileTailMatch; i++) {
+        const f = String(file[i])
+        sawSome = true
+        if (f === '.' || f === '..' ||
+            (!this.options.dot && f.charAt(0) === '.')) {
+          return false
+        }
+      }
+      return sawSome
+    }
 
-          this.debug('\nglobstar while', file, fr, pattern, pr, swallowee)
+    // split body into segments at each GLOBSTAR
+    const bodySegments = [[[], 0]]
+    let currentBody = bodySegments[0]
+    let nonGsParts = 0
+    const nonGsPartsSums = [0]
+    for (const b of body) {
+      if (b === GLOBSTAR) {
+        nonGsPartsSums.push(nonGsParts)
+        currentBody = [[], 0]
+        bodySegments.push(currentBody)
+      } else {
+        currentBody[0].push(b)
+        nonGsParts++
+      }
+    }
 
-          // XXX remove this slice.  Just pass the start index.
-          if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) {
-            this.debug('globstar found match!', fr, fl, swallowee)
-            // found a match.
-            return true
-          } else {
-            // can't swallow "." or ".." ever.
-            // can only swallow ".foo" when explicitly asked.
-            if (swallowee === '.' || swallowee === '..' ||
-              (!options.dot && swallowee.charAt(0) === '.')) {
-              this.debug('dot detected!', file, fr, pattern, pr)
-              break
-            }
-
-            // ** swallows a segment, and continue.
-            this.debug('globstar swallow a segment, and continue')
-            fr++
-          }
+    let idx = bodySegments.length - 1
+    const fileLength = file.length - fileTailMatch
+    for (const b of bodySegments) {
+      b[1] = fileLength - (nonGsPartsSums[idx--] + b[0].length)
+    }
+
+    return !!this._matchGlobStarBodySections(
+      file, bodySegments, fileIndex, 0, partial, 0, !!fileTailMatch
+    )
+  }
+
+  // return false for "nope, not matching"
+  // return null for "not matching, cannot keep trying"
+  _matchGlobStarBodySections (
+    file, bodySegments, fileIndex, bodyIndex, partial, globStarDepth, sawTail
+  ) {
+    const bs = bodySegments[bodyIndex]
+    if (!bs) {
+      // just make sure there are no bad dots
+      for (let i = fileIndex; i < file.length; i++) {
+        sawTail = true
+        const f = file[i]
+        if (f === '.' || f === '..' ||
+            (!this.options.dot && f.charAt(0) === '.')) {
+          return false
         }
+      }
+      return sawTail
+    }
 
-        // no match was found.
-        // However, in partial mode, we can't say this is necessarily over.
-        // If there's more *pattern* left, then
-        /* istanbul ignore if */
-        if (partial) {
-          // ran out of file
-          this.debug('\n>>> no match, partial?', file, fr, pattern, pr)
-          if (fr === fl) return true
+    const [body, after] = bs
+    while (fileIndex <= after) {
+      const m = this._matchOne(
+        file.slice(0, fileIndex + body.length),
+        body,
+        partial,
+        fileIndex,
+        0
+      )
+      // if limit exceeded, no match. intentional false negative,
+      // acceptable break in correctness for security.
+      if (m && globStarDepth < this.maxGlobstarRecursion) {
+        const sub = this._matchGlobStarBodySections(
+          file, bodySegments,
+          fileIndex + body.length, bodyIndex + 1,
+          partial, globStarDepth + 1, sawTail
+        )
+        if (sub !== false) {
+          return sub
         }
+      }
+      const f = file[fileIndex]
+      if (f === '.' || f === '..' ||
+          (!this.options.dot && f.charAt(0) === '.')) {
         return false
       }
+      fileIndex++
+    }
+    return null
+  }
+
+  _matchOne (file, pattern, partial, fileIndex, patternIndex) {
+    let fi, pi, fl, pl
+    for (
+      fi = fileIndex, pi = patternIndex, fl = file.length, pl = pattern.length
+      ; (fi < fl) && (pi < pl)
+      ; fi++, pi++
+    ) {
+      this.debug('matchOne loop')
+      const p = pattern[pi]
+      const f = file[fi]
+
+      this.debug(pattern, p, f)
+
+      // should be impossible.
+      // some invalid regexp stuff in the set.
+      /* istanbul ignore if */
+      if (p === false || p === GLOBSTAR) return false
 
       // something other than **
       // non-magic patterns just have to match exactly
       // patterns with magic have been turned into regexps.
-      var hit
+      let hit
       if (typeof p === 'string') {
         hit = f === p
         this.debug('string match', p, f, hit)
@@ -374,17 +434,6 @@ class Minimatch {
       if (!hit) return false
     }
 
-    // Note: ending in / means that we'll get a final ""
-    // at the end of the pattern.  This can only match a
-    // corresponding "" at the end of the file.
-    // If the file ends in /, then it can only match a
-    // a pattern that ends in /, unless the pattern just
-    // doesn't have any more for it. But, a/b/ should *not*
-    // match "a/b/*", even though "" matches against the
-    // [^/]*? pattern, except in partial mode, where it might
-    // simply not be reached yet.
-    // However, a/b/ should still satisfy a/*
-
     // now either we fell off the end of the pattern, or we're done.
     if (fi === fl && pi === pl) {
       // ran out of pattern and filename at the same time.
diff --git a/test/multiple-non-adjacent-globstars.js b/test/multiple-non-adjacent-globstars.js
@@ -0,0 +1,89 @@
+const t = require('tap')
+const minimatch = require('../minimatch.js')
+const performance = require('perf_hooks').performance
+
+t.test('GHSA-7r86-cg39-jmmj', async t => {
+  const k = 50
+  const pattern =
+    Array.from({ length: k }, () => '**/a').join('/') + '/b/**'
+  const patha = Array(100).fill('a').join('/') + '/a'
+  const pathb = Array(100).fill('a').join('/') + '/b/c/d/.e/a/b'
+  t.comment({ patha, pathb, pattern })
+
+  const starta = performance.now()
+  t.equal(minimatch(patha, pattern), false)
+  const dura = performance.now() - starta
+  t.ok(dura < 1000, 'should take less than 1s to find mismatch', {
+    found: dura,
+    wanted: '<1000',
+  })
+
+  const startb = performance.now()
+  t.equal(minimatch(pathb, pattern, { dot: true }), true)
+  const durb = performance.now() - startb
+  t.comment({ dura, durb })
+  t.ok(durb < 1000, 'should take less than 1s to find match', {
+    found: durb,
+    wanted: '<1000',
+  })
+
+  const startc = performance.now()
+  t.equal(minimatch(pathb, pattern), false)
+  const durc = performance.now() - startc
+  t.comment({ dura, durb, durc })
+  t.ok(durc < 1000, 'should take less than 1s to find dot mismatch', {
+    found: durc,
+    wanted: '<1000',
+  })
+})
+
+t.test('alphabetical', async t => {
+  const alphabet = 'abcdefghijklmnopqrstuvwxyz'.repeat(5)
+  const pattern = '**/' + alphabet.split('').join('/**/') + '/**'
+  const exclude = (c) =>
+    alphabet.split('').filter(char => c != char)
+  const path =
+    alphabet
+      .split('')
+      .map(c => exclude(c))
+      .reduce((set, c) => set.concat(c), [])
+      .join('/') +
+    '/' +
+    exclude('a').concat('a').join('/')
+  t.comment(path, pattern)
+  const start = performance.now()
+  t.equal(minimatch(path, pattern, { maxGlobstarRecursion: 30 }), false)
+  t.equal(minimatch(path, pattern), true)
+  const dur = performance.now() - start
+  t.comment('alphabet time', dur)
+})
+
+t.test('tail handling 1', async t => {
+  const pattern = '.x/**/*/*/**'
+  const match = '.x/.y/.z/'
+  const nomatch = '.x/.y/.z'
+  t.equal(minimatch(match, pattern, { dot: true }), true)
+  t.equal(minimatch(nomatch, pattern, { dot: true }), false)
+})
+
+t.test('tail handling 2', async t => {
+  const pattern = '.x/**/**/*'
+  const match = '.x/.y/.z/'
+  const nomatch = '.x/'
+  t.equal(minimatch(match, pattern, { dot: true }), true)
+  t.equal(minimatch(nomatch, pattern, { dot: true }), false, {
+    file: nomatch,
+    pattern,
+  })
+})
+
+t.test('head/tail edge cases', async t => {
+  // head mismatch: head 'a' does not match file starting with 'x'
+  t.equal(minimatch('x/c', 'a/**/c'), false)
+  // tail direct match: tail 'a' matches file[last] on first try
+  t.equal(minimatch('b/a', '**/a'), true)
+  // tail fallback failure: file ends in '/' but segment before '' is not 'a'
+  t.equal(minimatch('b/c/', '**/a'), false)
+  // tail too long: head + tail longer than entire file
+  t.equal(minimatch('a', 'a/**/b/c'), false)
+})
