Prevent ReDoS by not using a regexp to verify floating point numbers

`parseFloat` will return `NaN` for invalid numbers anyway, which is the check used to throw the parse error. Fixes #857
2015-11-09 11:28:27 +01:00
parent 37ee9de902
commit 63d35f8f6d
1 changed files with 1 additions and 2 deletions
--- a/lib/parse.js
+++ b/lib/parse.js
@@ -59,7 +59,6 @@ var OPERATOR_CHARS = makePredicate(characters("+-*&%=<>!?|~^"));
 var RE_HEX_NUMBER = /^0x[0-9a-f]+$/i;
 var RE_OCT_NUMBER = /^0[0-7]+$/;
 var RE_DEC_NUMBER = /^\d*\.?\d*(?:e[+-]?\d*(?:\d\.?|\.?\d)\d*)?$/i;
 var OPERATORS = makePredicate([
    "in",
@@ -182,7 +181,7 @@ function parse_js_number(num) {
        return parseInt(num.substr(2), 16);
    } else if (RE_OCT_NUMBER.test(num)) {
        return parseInt(num.substr(1), 8);
-    } else if (RE_DEC_NUMBER.test(num)) {
+    } else {
        return parseFloat(num);
    }
 };