Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leaked micromatch implementation behaviour #173

Closed
janat08 opened this issue May 2, 2019 · 4 comments
Closed

Leaked micromatch implementation behaviour #173

janat08 opened this issue May 2, 2019 · 4 comments
Assignees
@mrmlnc
Labels
Type: Bug
Milestone
3.0.0

Comments

@janat08
Copy link

janat08 commented May 2, 2019
edited

Environment

  • OS Version: ubuntu 19.04
  • Node.js Version: 10.15.3

I won't pretend to understand the issue. This manifests in downstream package: sindresorhus/globby#97 (comment).
@jonschlinkert
Copy link

jonschlinkert commented May 2, 2019
edited

From the linked issue:

fast-glob uses micromatch, which turns tmp\\*.{md,tmp} into tmp//*.(md|tmp) using brace expansion. When noext is specified, literal parentheses get matched:

Micromatch explicitly does not convert \\ to / in globs, as that is unsafe and could enable malicious regular expressions to be used.

Regarding the parentheses, that's a completely separate issue. Parentheses should only be matched literally when 1) noext is true, and 2) when literal parentheses were actually defined in the glob pattern. In your example, braces are used, which should not result in the behavior you're describing. If I recall correctly, this is one of the use cases I mentioned would happen if we escaped characters automatically, so I'm pretty sure that cause is not micromatch. However, I might be wrong, as my memory isn't all that great these days. If that is indeed caused in micromatch, please open an issue and I'll get it fixed right away.

@jonschlinkert
Copy link

related:

@mrmlnc mrmlnc self-assigned this May 3, 2019
@mrmlnc mrmlnc mentioned this issue May 12, 2019
Merged
@mrmlnc
Copy link
Owner

mrmlnc commented May 12, 2019
edited

So, looks like bug in micromatch@3.

Tasks:

[
    {
        base: 'fixtures',
        dynamic: true,
        patterns: ['fixtures/**/*.{md,txt}'],
        positive: ['fixtures/**/*.{md,txt}'],
        negative: []
    }
]

Micromatch options:

{
    dot: false,
    nobrace: false,
    noglobstar: false,
    noext: true,
    nocase: false,
    matchBase: false
}

micromatch@3

RegExp:

/^(?:(?:\.[\\\/](?=.))?fixtures[\\\/]?\b(?!\.)(?:(?!(?:[\\\/]|^)\.).)*?[\\\/](?!\.)(?=.)[^\\\/]*?\.\(md|txt\)(?:[\\\/]|$))$/

When the noext option has false as value:

/^(?:(?:\.[\\\/](?=.))?fixtures[\\\/]?\b(?!\.)(?:(?!(?:[\\\/]|^)\.).)*?[\\\/](?!\.)(?=.)[^\\\/]*?\.(?:md|txt)(?:[\\\/]|$))$/

micromatch@4

RegExp:

/^(?:fixtures(?:[\\\/](?!\.)(?:(?:(?!(?:^|[\\\/])\.).)*?)[\\\/]|[\\\/]|$)(?!\.)(?=.)[^\\\/]*?\.(md|txt))$/

When the noext option has false as value:

/^(?:fixtures(?:[\\\/](?!\.)(?:(?:(?!(?:^|[\\\/])\.).)*?)[\\\/]|[\\\/]|$)(?!\.)(?=.)[^\\\/]*?\.(md|txt))$/

@mrmlnc mrmlnc added this to the 3.0.0 milestone May 12, 2019
@mrmlnc
Copy link
Owner

mrmlnc commented May 13, 2019
edited

Closing in favor of issue to use micromatch@4 (#154). This issue will be fixed with release fast-glob@3. You can check release issue #181.

@mrmlnc mrmlnc closed this as completed May 13, 2019
@mrmlnc mrmlnc mentioned this issue May 13, 2019
Closed
@snyk-bot snyk-bot mentioned this issue May 3, 2020
Closed
This was referenced Jun 6, 2021
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrmlnc mrmlnc

Labels
Type: Bug
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
3 participants
@jonschlinkert @mrmlnc @janat08