coalesce consecutive non-globstar * characters

ljharb · ljharb · commit febe85d40f16 · 2026-02-19T13:49:53.000-08:00
Fix: GHSA-3ppc-4f35-3m26 Backport-Of: 2e111f3
diff --git a/minimatch.js b/minimatch.js
@@ -533,6 +533,9 @@ class Minimatch {
             continue
           }
 
+          // coalesce consecutive non-globstar * characters
+          if (c === '*' && stateChar === '*') continue
+
           // if we already have a stateChar, then it means
           // that there was something like ** or +? in there.
           // Handle the stateChar, then proceed with this one.
diff --git a/test/consecutive-stars-redos.js b/test/consecutive-stars-redos.js
@@ -0,0 +1,21 @@
+const tap = require('tap')
+const { Minimatch } = require('../')
+
+tap.test('consecutive stars are coalesced', t => {
+  const re1 = new Minimatch('a*b').makeRe()
+  const re3 = new Minimatch('a***b').makeRe()
+  t.equal(re3.toString(), re1.toString(), 'a***b same regex as a*b')
+  t.end()
+})
+
+tap.test('100+ consecutive stars do not cause ReDoS', t => {
+  const stars = '*'.repeat(100)
+  const pattern = 'a' + stars + 'b'
+  const start = Date.now()
+  const mm = new Minimatch(pattern)
+  const re = mm.makeRe()
+  re.test('a' + 'c'.repeat(25))
+  const elapsed = Date.now() - start
+  t.ok(elapsed < 1000, 'completed in ' + elapsed + 'ms (< 1s)')
+  t.end()
+})

Original file line number	Diff line number	Diff line change
`@@ -533,6 +533,9 @@ class Minimatch {`
`533`	`533`	`continue`
`534`	`534`	`}`
`535`	`535`
	`536`	`+ // coalesce consecutive non-globstar * characters`
	`537`	`+ if (c === '' && stateChar === '') continue`
	`538`	`+`
`536`	`539`	`// if we already have a stateChar, then it means`
`537`	`540`	`// that there was something like ** or +? in there.`
`538`	`541`	`// Handle the stateChar, then proceed with this one.`