From 5e7ad38fb0f819fceb19fb2ee5d5d38f56aa837d Mon Sep 17 00:00:00 2001
From: Willian Agostini <willian.agostini@gmail.com>
Date: Tue, 26 Dec 2023 17:29:26 -0300
Subject: [PATCH] fix: Regular Expression Denial of Service (ReDoS) (#6132)

---
 lib/helpers/combineURLs.js  |  2 +-
 test/specs/defaults.spec.js | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/helpers/combineURLs.js b/lib/helpers/combineURLs.js
index cba9a23..9f04f02 100644
--- a/lib/helpers/combineURLs.js
+++ b/lib/helpers/combineURLs.js
@@ -10,6 +10,6 @@
  */
 export default function combineURLs(baseURL, relativeURL) {
   return relativeURL
-    ? baseURL.replace(/\/+$/, '') + '/' + relativeURL.replace(/^\/+/, '')
+    ? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '')
     : baseURL;
 }
diff --git a/test/specs/defaults.spec.js b/test/specs/defaults.spec.js
index 46c957b..1c5abf3 100644
--- a/test/specs/defaults.spec.js
+++ b/test/specs/defaults.spec.js
@@ -178,10 +178,25 @@ describe('defaults', function () {
     const instance = axios.create();
     axios.defaults.baseURL = 'http://example.org/';
 
+    instance.get('/foo/users');
+
+    getAjaxRequest().then(function (request) {
+      expect(request.url).toBe('/foo/users');
+      done();
+    });
+  });
+
+  it('should resistent to ReDoS attack', function (done) {
+    const instance = axios.create();
+    const start = performance.now();
+    const slashes = '/'.repeat(100000);
+    instance.defaults.baseURL = '/' + slashes + 'bar/';
     instance.get('/foo');
 
     getAjaxRequest().then(function (request) {
-      expect(request.url).toBe('/foo');
+      const elapsedTimeMs = performance.now() - start;
+      expect(elapsedTimeMs).toBeLessThan(20);
+      expect(request.url).toBe('/' + slashes + 'bar/foo');
       done();
     });
   });