fix: add possessive quantifier to regex match for formatted strings

(Fixes https://github.com/faker-ruby/faker/security/code-scanning/14)

Adds a possessive quantifier (an extra `+`) to the regex to prevent backtracking.

This is to prevent the issue 'Polynomial regular expression used on
uncontrolled data code'. It seems a bit overkill, given how these
formatted strings are used, but I don't think it hurts either.

See reference:
https://ruby-doc.org/3.4.1/Regexp.html#class-Regexp-label-Greedy-2C+Lazy-2C+or+Possessive+Matching

Author: thdaraujo

lib/faker.rb

@@ -133,7 +133,8 @@ def fetch_all(key)
       # formatted translation: e.g., "#{first_name} #{last_name}".
       def parse(key)
         fetched = fetch(key)
-        parts = fetched.scan(/(\(?)#\{([A-Za-z]+\.)?([^}]+)\}([^#]+)?/).map do |prefix, kls, meth, etc|
+
+        parts = fetched.scan(/(\(?)#\{([A-Za-z]+\.)?([^}]+)\}([^#]++)?/).map do |prefix, kls, meth, etc|
           # If the token had a class Prefix (e.g., Name.first_name)
           # grab the constant, otherwise use self
           cls = kls ? Faker.const_get(kls.chop) : self