non-linear back tracking in the regex used in getDataProtocolModuleFormat

[JLHwung]

import-meta-resolve/lib/get-format.js

Lines 64 to 66 in 88a0e38

	const {1: mime} = /^([^/]+\/[^;,]+)[^,]*?(;base64)?,/.exec(
	parsed.pathname
	) || [null, null, null]

The ESLint rule regexp/no-super-linear-backtracking reports that

The quantifier '[^;,]+' can exchange characters with '[^,]*?'. Using any string accepted by /[^,;]+/, this can be exploited to cause at least polynomial backtracking.

For example, if the pathname is ./aaaaaaaaaaaB, the back tracking becomes polynomial since both [^;,]+ and [^,]*? match a.

[wooorm]

Hi!

Code’s from Node: https://github.com/nodejs/node/blob/94df36a12199de8bb06a02e5840e0e32415851c4/lib/internal/modules/esm/get_format.js#L99-L104. So issues/PRs can go there, then after it can get picked up here!

While it may be considered an issue here, I don’t want to track problems in Node here; fixing things there will help many more people than only fixing it here!