fix: Potential ReDos vulnerability in url validator

Author: lahirumaramba

src/utils/validator.ts

@@ -244,7 +244,7 @@ export function isURL(urlStr: any): boolean {
     }
     // Validate hostname: Can contain letters, numbers, underscore and dashes separated by a dot.
     // Each zone must not start with a hyphen or underscore.
-    if (!hostname || !/^[a-zA-Z0-9]+[\w-]*([.]?[a-zA-Z0-9]+[\w-]*)*$/.test(hostname)) {
+    if (!hostname || !/^[a-zA-Z0-9]+[\w-]*(\.[a-zA-Z0-9]+[\w-]*)*$/.test(hostname)) {
       return false;
     }
     // Allow for pathnames: (/chars+)*/?

test/unit/utils/validator.spec.ts

@@ -530,3 +530,28 @@ describe('isISODateString()', () => {
     expect(isISODateString(validISODateString)).to.be.true;
   });
 });
+
+describe('isURL() ReDoS and Long Inputs', () => {
+  it('should handle long valid URLs quickly', function () {
+    this.timeout(1000);
+    const longUrl = 'https://' + Array(50).fill('a').join('.') + '.com';
+    expect(isURL(longUrl)).to.be.true;
+  });
+
+  it('should handle long invalid URLs quickly (ReDoS check)', function () {
+    this.timeout(1000);
+    const longInvalid = 'https://' + 'a'.repeat(22) + '!';
+    expect(isURL(longInvalid)).to.be.false;
+  });
+
+  it('should handle very long domain with many segments', function () {
+    this.timeout(1000);
+    const manySegments = 'https://' + Array(100).fill('a').join('.') + '.com';
+    expect(isURL(manySegments)).to.be.true;
+  });
+
+  it('should reject invalid dot usage caught by strict regex', function () {
+    expect(isURL('https://a.b')).to.be.true;
+    expect(isURL('https://a..b')).to.be.false;
+  });
+});