ReDoS vulnerability in arg.js

[xywang18]

Description

This vulnerability is the same as issue.
In this project, Here has used the vulnerable regex ^-?\d*(\.(?=\d))?\d*$.

How to repair

Here is my repair solution:

function safeMatch(string) {
    const RE2 = require("re2")
    let re = new RE2(/^-?\d*(\.)?(\d*)$/)
    let res = re.match(string)
    if (res != null) {
        group1 = res[1]
        if (group1 !== null) {
            group2 = res[2]
            if (/^\d/.test(group2)) {
                return res
            } else {
                return null
            }
        }
        return res
    }
    return res
}

console.log(safeMatch("-1.1")) // [ '-1.1', '.', '1', index: 0, input: '-1.1', groups: undefined ]
console.log(safeMatch("-1."))  // null
console.log(safeMatch("."))    // null

You can find detailed information in issue