coalesce consecutive non-globstar * characters

ljharb · ljharb · commit 46fe687857cf · 2026-02-19T13:44:45.000-08:00
Fix: GHSA-3ppc-4f35-3m26 Backport-Of: 2e111f3
diff --git a/minimatch.js b/minimatch.js
@@ -390,6 +390,9 @@ function parse (pattern, isSub) {
           continue
         }
 
+        // coalesce consecutive non-globstar * characters
+        if (c === '*' && stateChar === '*') continue
+
         // if we already have a stateChar, then it means
         // that there was something like ** or +? in there.
         // Handle the stateChar, then proceed with this one.
diff --git a/test/consecutive-stars-redos.js b/test/consecutive-stars-redos.js
@@ -0,0 +1,22 @@
+var tap = require('tap')
+var minimatch = require('../')
+var Minimatch = minimatch.Minimatch
+
+tap.test('consecutive stars are coalesced', function (t) {
+  var re1 = new Minimatch('a*b').makeRe()
+  var re3 = new Minimatch('a***b').makeRe()
+  t.equal(re3.toString(), re1.toString(), 'a***b same regex as a*b')
+  t.end()
+})
+
+tap.test('100+ consecutive stars do not cause ReDoS', function (t) {
+  var stars = new Array(101).join('*')
+  var pattern = 'a' + stars + 'b'
+  var start = Date.now()
+  var mm = new Minimatch(pattern)
+  var re = mm.makeRe()
+  re.test('a' + new Array(26).join('c'))
+  var elapsed = Date.now() - start
+  t.ok(elapsed < 1000, 'completed in ' + elapsed + 'ms (< 1s)')
+  t.end()
+})

Original file line number	Diff line number	Diff line change
`@@ -390,6 +390,9 @@ function parse (pattern, isSub) {`
`390`	`390`	`continue`
`391`	`391`	`}`
`392`	`392`
	`393`	`+ // coalesce consecutive non-globstar * characters`
	`394`	`+ if (c === '' && stateChar === '') continue`
	`395`	`+`
`393`	`396`	`// if we already have a stateChar, then it means`
`394`	`397`	`// that there was something like ** or +? in there.`
`395`	`398`	`// Handle the stateChar, then proceed with this one.`