From 9a77cb23c729295ae34e68bbb6c99dc5576422e4 Mon Sep 17 00:00:00 2001
From: Blake Embrey <hello@blakeembrey.com>
Date: Tue, 10 Sep 2024 13:40:51 -0700
Subject: [PATCH] Add backtrack protection to 1.x release

---
 index.js           |   13 +-
 package-lock.json  | 4226 ++++++++++++++++++++++++++++++++++++++++++++
 package.json       |   10 +-
 test.ts => test.js |   28 +-
 typings.json       |    9 -
 5 files changed, 4250 insertions(+), 36 deletions(-)
 create mode 100644 package-lock.json
 rename test.ts => test.js (98%)
 delete mode 100644 typings.json

diff --git a/index.js b/index.js
index e485afe..73cd8b5 100644
--- a/index.js
+++ b/index.js
@@ -72,8 +72,9 @@ function parse (str, options) {
     var partial = prefix != null && next != null && next !== prefix
     var repeat = modifier === '+' || modifier === '*'
     var optional = modifier === '?' || modifier === '*'
-    var delimiter = res[2] || defaultDelimiter
+    var delimiter = prefix || defaultDelimiter
     var pattern = capture || group
+    var prevText = prefix || (typeof tokens[tokens.length - 1] === 'string' ? tokens[tokens.length - 1] : '')
 
     tokens.push({
       name: name || key++,
@@ -83,7 +84,7 @@ function parse (str, options) {
       repeat: repeat,
       partial: partial,
       asterisk: !!asterisk,
-      pattern: pattern ? escapeGroup(pattern) : (asterisk ? '.*' : '[^' + escapeString(delimiter) + ']+?')
+      pattern: pattern ? escapeGroup(pattern) : (asterisk ? '.*' : restrictBacktrack(delimiter, prevText))
     })
   }
 
@@ -100,6 +101,14 @@ function parse (str, options) {
   return tokens
 }
 
+function restrictBacktrack(delimiter, prevText) {
+  if (!prevText || prevText.indexOf(delimiter) > -1) {
+    return '[^' + escapeString(delimiter) + ']+?'
+  }
+
+  return escapeString(prevText) + '|(?:(?!' + escapeString(prevText) + ')[^' + escapeString(delimiter) + '])+?'
+}
+
 /**
  * Compile a string to a template function for the path.
  *
