Reject large optional route combinations (#424)

blakeembrey · web-flow · commit 22a967901afc · 2026-03-26T11:36:02.000-07:00
diff --git a/package.json b/package.json
@@ -50,7 +50,7 @@
   "size-limit": [
     {
       "path": "dist/index.js",
-      "limit": "2.3 kB"
+      "limit": "2.15 kB"
     }
   ],
   "ts-scripts": {
diff --git a/src/index.spec.ts b/src/index.spec.ts
@@ -166,6 +166,14 @@ describe("path-to-regexp", () => {
         expect(stack).toContain("index.spec.ts");
       }
     });
+
+    it("should throw when too many alternative routes are generated", () => {
+      const segments = new Array(10).fill("{/x}").join("");
+
+      expect(() => pathToRegexp(segments)).toThrow(
+        new PathError("Too many path combinations", segments),
+      );
+    });
   });
 
   describe("stringify errors", () => {
diff --git a/src/index.ts b/src/index.ts
@@ -463,10 +463,9 @@ export function pathToRegexp(
     sensitive = false,
     trailing = true,
   } = options;
-  const flags = sensitive ? "" : "i";
-  const keys: Keys = [];
   const root = new SourceNode("^");
   const paths: Array<Path | Path[]> = [path];
+  let combinations = 0;
 
   while (paths.length) {
     const path = paths.shift()!;
@@ -477,8 +476,11 @@ export function pathToRegexp(
     }
 
     const data = typeof path === "object" ? path : parse(path, options);
-
     flatten(data.tokens, 0, [], (tokens) => {
+      if (combinations++ >= 256) {
+        throw new PathError("Too many path combinations", data.originalPath);
+      }
+
       let node = root;
 
       for (const part of toRegExpSource(tokens, delimiter, data.originalPath)) {
@@ -489,11 +491,12 @@ export function pathToRegexp(
     });
   }
 
+  const keys: Keys = [];
   let pattern = toRegExp(root, keys);
   if (trailing) pattern += "(?:" + escape(delimiter) + "$)?";
   pattern += end ? "$" : "(?=" + escape(delimiter) + "|$)";
 
-  return { regexp: new RegExp(pattern, flags), keys };
+  return { regexp: new RegExp(pattern, sensitive ? "" : "i"), keys };
 }
 
 function toRegExp(node: SourceNode, keys: Keys): string {
@@ -504,7 +507,7 @@ function toRegExp(node: SourceNode, keys: Keys): string {
     .map((id) => toRegExp(node.children[id], keys))
     .join("|");
 
-  return node.source + (children.length <= 1 ? text : `(?:${text})`);
+  return node.source + (children.length < 2 ? text : `(?:${text})`);
 }
 
 class SourceNode {
@@ -532,13 +535,15 @@ function flatten(
 ): void {
   while (index < tokens.length) {
     const token = tokens[index++];
+
     if (token.type === "group") {
-      flatten(token.tokens, 0, result.slice(), (seq) => {
-        flatten(tokens, index, seq, callback);
-      });
-    } else {
-      result.push(token);
+      flatten(token.tokens, 0, result.slice(), (seq) =>
+        flatten(tokens, index, seq, callback),
+      );
+      continue;
     }
+
+    result.push(token);
   }
 
   callback(result);
diff --git a/src/redos.spec.ts b/src/redos.spec.ts
@@ -6,6 +6,7 @@ import { describe, expect, it } from "vitest";
 describe.concurrent("redos", () => {
   it.each(MATCH_TESTS.map((x) => [x.path, pathToRegexp(x.path).regexp]))(
     "%s - %s",
+    { timeout: 10_000 },
     async (_, regexp) => {
       const result = await check(regexp.source, regexp.flags);
       expect(result.status).toBe("safe");

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@`
`50`	`50`	`"size-limit": [`
`51`	`51`	`{`
`52`	`52`	`"path": "dist/index.js",`
`53`		`- "limit": "2.3 kB"`
	`53`	`+ "limit": "2.15 kB"`
`54`	`54`	`}`
`55`	`55`	`],`
`56`	`56`	`"ts-scripts": {`