Fixed potential catastrophic backtracking vulnerability

Author: unlight

gulp-cssimport.js

@@ -240,7 +240,7 @@ function isMatch(path, options) {
         var fileExt = getExtension(path);
         for (var k = 0; k < extensions.length; k++) {
             var extension = extensions[k];
-            var isInverse = extension.charAt(0) === "!";
+            var isInverse = extension.charAt(0) === '!';
             if (isInverse) {
                 extension = extension.slice(1);
             }
@@ -251,18 +251,17 @@ function isMatch(path, options) {
             }
         }
     }
-    if (typeof result === "undefined") {
+    if (typeof result === 'undefined') {
         result = true;
     }
     return result;
 }
 
 function isUrl(s) {
-    var regexp = /(http|https):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-/]))?/;
-    return regexp.test(s);
+    return /^(http|https):\/\//.test(s);
 }
 
 function getExtension(p) {
     p = String(p);
-    return p.substr(p.lastIndexOf(".") + 1);
+    return p.substr(p.lastIndexOf('.') + 1);
 }

package.json

@@ -4,6 +4,7 @@
   "description": "Parses a CSS file, finds imports, grabs the content of the linked file and replaces the import statement with it.",
   "main": "gulp-cssimport.js",
   "scripts": {
+    "np": "np",
     "test": "cd test && node index.js"
   },
   "repository": {
@@ -31,11 +32,11 @@
   },
   "devDependencies": {
     "gulp": "3",
-    "gulp-bump": "2.7.0",
-    "gulp-eslint": "^4.0.0",
-    "gulp-load-plugins": "1.5.0",
+    "gulp-bump": "^3.1.0",
+    "gulp-eslint": "^4.0.2",
+    "gulp-load-plugins": "^1.5.0",
     "gulp-sourcemaps": "*",
-    "tape": "^4.8.0"
+    "tape": "^4.9.0"
   },
   "license": "MIT"
 }

readme.md

@@ -136,40 +136,43 @@ TODO
 
 CHANGELOG
 ---------
-6.0 [1 Sep 2017]
+6.0.1 [23 Feb 2018]
+- fixed potential catastrophic backtracking vulnerability
+
+6.0.0 [01 Sep 2017]
 - remove byte order mask from imported files
 
-5.1 [13 Aug 2017]
+5.1.0 [13 Aug 2017]
 - added option 'transform'
 
-5.0 [20 Nov 2016]
+5.0.0 [20 Nov 2016]
 - added option 'skipComments'
 
-4.0 [6 Oct 2016]
+4.0.0 [06 Oct 2016]
 - added option 'includePaths'
 
-3.0 [28 Feb 2016]
+3.0.0 [28 Feb 2016]
 - removed node streams support, now only gulp
 - removed directory option
 - added sourcemaps support
 - fixed bogus destination bugs
 
-2.0 [30 Jun 2015]
+2.0.0 [30 Jun 2015]
 - changed parse algorithm
 - can handle recursive import
 - can handle minified css files
 - added option 'matchPattern'
 
-1.3 [14 Nov 2014]
+1.3.0 [14 Nov 2014]
 - added option 'extensions'
 - added option 'filter'
 
-1.2 [15 Feb 2014]
+1.2.0 [15 Feb 2014]
 - fixed processing urls
 
-1.1 [15 Feb 2014]
+1.1.0 [15 Feb 2014]
 - switched to through2
 - process files asynchronously
 
-1.0 [12 Feb 2014]
+1.0.0 [12 Feb 2014]
 - first release