Merge pull request from GHSA-4q6p-r6v2-jvc5

Author: keithamus

index.js

@@ -13,6 +13,7 @@
 
 const { toString } = Function.prototype;
 const functionNameMatch = /\s*function(?:\s|\s*\/\*[^(?:*/)]+\*\/\s*)*([^\s(/]+)/;
+const maxFunctionSourceLength = 512;
 function getFuncName(aFunc) {
   if (typeof aFunc !== 'function') {
     return null;
@@ -22,6 +23,12 @@ function getFuncName(aFunc) {
   if (typeof Function.prototype.name === 'undefined' && typeof aFunc.name === 'undefined') {
     // Here we run a polyfill if Function does not support the `name` property and if aFunc.name is not defined
     // eslint-disable-next-line prefer-reflect
+    const functionSource = toString.call(aFunc);
+    // To avoid unconstrained resource consumption due to pathalogically large function names,
+    // we limit the available return value to be less than 512 characters.
+    if (functionSource.indexOf('(') > maxFunctionSourceLength) {
+      return name;
+    }
     const match = toString.call(aFunc).match(functionNameMatch);
     if (match) {
       [ name ] = match;

package-lock.json

@@ -31,6 +31,19 @@ describe('getFuncName', function () {
     assert(getFuncName(anonymousFunc) === '');
   });
 
+  it('should return an empty string for overly large function names', function () {
+    // eslint-disable-next-line max-len, func-style, func-name-matching, id-length
+    const longFunc = function aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa() {};
+    Object.defineProperty(longFunc, 'name', { value: undefined });
+    // Temporarily disable the Function.prototype.name getter
+    const realFPName = Object.getOwnPropertyDescriptor(Function.prototype, 'name');
+    // eslint-disable-next-line no-extend-native
+    Object.defineProperty(Function.prototype, 'name', { value: undefined });
+    assert(getFuncName(longFunc) === '');
+    // eslint-disable-next-line no-extend-native
+    Object.defineProperty(Function.prototype, 'name', realFPName);
+  });
+
   it('should return `null` when passed a String as argument', function () {
     assert(getFuncName('') === null);
   });