From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
Date: Mon, 12 May 2025 01:19:39 +0200
Subject: CVE-2023-26117

Fix by linear replace a redos

bug-poc: https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos?file=index.js
bug: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
bug-debian: https://bugs.debian.org/1036694
---
 src/ngResource/resource.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/ngResource/resource.js b/src/ngResource/resource.js
index 11bb45b..3249e3e 100644
--- a/src/ngResource/resource.js
+++ b/src/ngResource/resource.js
@@ -651,7 +651,11 @@ angular.module('ngResource', ['ng']).
 
           // strip trailing slashes and set the url (unless this behavior is specifically disabled)
           if (self.defaults.stripTrailingSlashes) {
-            url = url.replace(/\/+$/, '') || '/';
+            var i = url.length - 1;
+            while (i >= 0 && url[i] == ('/')) {
+               i--;
+            }
+            url = url.slice(0,i + 1) || '/';
           }
 
           // Collapse `/.` if found in the last URL path segment before the query.