RegExp used to detect numbers is vulnerable to ReDoS

[FarSeeing]

Basically the title says everything.

Node code to test:

const Papa = require('papaparse');

const input = '0'.repeat(10000);
const options = {dynamicTyping: true};

let start = process.hrtime.bigint();
Papa.parse(input, options);
let end = process.hrtime.bigint();
console.log(`Numerical input: ${Number(end - start) / 1e9} seconds`);

start = process.hrtime.bigint();
Papa.parse(input + 'a', options);
end = process.hrtime.bigint();
console.log(`Non-numerical input: ${Number(end - start) / 1e9} seconds`);

Results on my PC:
For 10000 characters:

Numerical input: 0.002068456 seconds
Non-numerical input: 0.574908789 seconds

For 100000 characters (note the exponential growth):

Numerical input: 0.002522945 seconds
Non-numerical input: 57.080913533 seconds

This comes from var FLOAT = /^\s*-?(\d*\.?\d+|\d+\.?\d*)(e[-+]?\d+)?\s*$/i; and the issue is in (\d*\.?\d+|\d+\.?\d*) segment.

One possible solution - replace current RE with something like /^\s*-?(\d+\.?|\.\d+|\d+\.\d+)(e[-+]?\d+)?\s*$/. Looks ugly but it works.

[pokoli]

Thanks for opening the issue. I've just added the regexp on #779
Could you please have a look on it?

[FarSeeing]

Yes, looks good to me. Thanks.

[pokoli]

I've uploaded version 5.2.0 to npm which contains this bug fix.