Merge pull request #3 from Trott/patch-1

fix for  CVE-2021-23425

Author: stevemao

index.js

@@ -1,6 +1,6 @@
 'use strict';
 
-var regex = /^(?:\r\n|\n|\r)+|(?:\r\n|\n|\r)+$/g;
+var regex = /^(?:\r|\n)+|(?:\r|\n)+$/g;
 
 module.exports = function (str) {
 	return str.replace(regex, '');

package.json

@@ -34,10 +34,9 @@
     "remove",
     "delete"
   ],
-  "dependencies": {},
   "devDependencies": {
     "mocha": "*",
-    "xo": "*"
+    "xo": "^0.17.1"
   },
   "xo": {
     "envs": [

test.js

@@ -19,3 +19,10 @@ it('should trim off \\r\\n', function () {
 	assert.strictEqual(trimOffNewlines('\r\nunicorns\r\n'), 'unicorns');
 	assert.strictEqual(trimOffNewlines('unicorns\r\n\r\n\r\n\r\n\r\n\r\n'), 'unicorns');
 });
+
+it('should not be susceptible to exponential backtracking', function () {
+	var start = Date.now();
+	trimOffNewlines('a' + '\r\n'.repeat(1000) + 'a');
+	var end = Date.now();
+	assert.ok(end - start < 1000, 'took too long, probably susceptible to ReDOS');
+});