fix(security): harden pattern matcher and qualifier validation

- Cap wildcards per pattern in matchWildcard to prevent polynomial
  backtracking DoS via many alternating `*`/`?` within the overall
  length limit.
- Reject non-string qualifier keys in validateQualifiers (throws
  PurlError when throws=true) and skip them in normalizeQualifiers,
  closing a gap where custom keys iterators could yield non-strings.

Author: jdalton

src/compare.ts

@@ -54,12 +54,30 @@ const WILDCARD_CACHE_MAX = 1024
  * Designed for version strings and package names, not file paths.
  */
 const MAX_PATTERN_LENGTH = 4096
+// Cap wildcards to prevent backtracking DoS via many alternating `*` even
+// under the overall length limit (e.g., `a*b*c*…*z` on a long non-match).
+const MAX_WILDCARDS_PER_PATTERN = 32
+
+function countWildcards(pattern: string): number {
+  let count = 0
+  for (let i = 0, { length } = pattern; i < length; i += 1) {
+    const code = pattern.charCodeAt(i)
+    if (code === 42 /*'*'*/ || code === 63 /*'?'*/) {
+      count += 1
+    }
+  }
+  return count
+}
 
 function matchWildcard(pattern: string, value: string): boolean {
   // Reject excessively long patterns to prevent regex compilation DoS
   if (pattern.length > MAX_PATTERN_LENGTH) {
     return false
   }
+  // Reject patterns with too many wildcards to prevent polynomial backtracking.
+  if (countWildcards(pattern) > MAX_WILDCARDS_PER_PATTERN) {
+    return false
+  }
   let regex = wildcardRegexCache.get(pattern)
   if (regex === undefined) {
     // Convert glob pattern to regex

src/normalize.ts

@@ -95,6 +95,10 @@ function normalizeQualifiers(
   let qualifiers: Record<string, string> | undefined
   // Use for-of to work with entries iterators
   for (const { 0: key, 1: value } of qualifiersToEntries(rawQualifiers)) {
+    // Skip non-string keys — validateQualifiers rejects these with PurlError.
+    if (typeof key !== 'string') {
+      continue
+    }
     // Only coerce primitive types — reject objects/functions that could
     // execute arbitrary code via toString() during coercion.
     const strValue =

src/validate.ts

@@ -236,6 +236,12 @@ function validateQualifiers(
   // Use for-of to work with URLSearchParams#keys iterators
   // type-coverage:ignore-next-line -- TypeScript correctly infers the iteration type
   for (const key of keysIterable) {
+    if (typeof key !== 'string') {
+      if (throws) {
+        throw new PurlError('qualifier key must be a string')
+      }
+      return false
+    }
     if (!validateQualifierKey(key, opts)) {
       return false
     }

test/coverage-edge-cases.test.mts

@@ -14,6 +14,7 @@ import {
   findCommandInjectionCharCode,
 } from '../src/strings.js'
 import { encodeQualifiers } from '../src/encode.js'
+import { normalizeQualifiers } from '../src/normalize.js'
 import { stringify } from '../src/stringify.js'
 import { UrlConverter } from '../src/url-converter.js'
 import {
@@ -91,6 +92,28 @@ describe('validate edge cases', () => {
     })
   })
 
+  describe('validateQualifiers non-string key via custom keys iterator', () => {
+    it('returns false for non-string key (non-throwing)', () => {
+      const qualifiers = {
+        keys() {
+          return [42 as unknown as string][Symbol.iterator]()
+        },
+      }
+      expect(validateQualifiers(qualifiers, { throws: false })).toBe(false)
+    })
+
+    it('throws PurlError for non-string key (throwing)', () => {
+      const qualifiers = {
+        keys() {
+          return [42 as unknown as string][Symbol.iterator]()
+        },
+      }
+      expect(() => validateQualifiers(qualifiers, { throws: true })).toThrow(
+        PurlError,
+      )
+    })
+  })
+
   describe('validateSubpath command injection', () => {
     it('returns false for subpath with pipe (non-throwing)', () => {
       expect(validateSubpath('src|evil', { throws: false })).toBe(false)
@@ -424,6 +447,21 @@ describe('compare edge cases', () => {
       )
       expect(matches(longPattern, purl)).toBe(false)
     })
+
+    it('returns false when pattern exceeds max wildcards (>32)', () => {
+      // 33 wildcards in the name component — over MAX_WILDCARDS_PER_PATTERN (32)
+      const manyWildcardsName = 'a*'.repeat(33)
+      const pattern = `pkg:npm/${manyWildcardsName}`
+      const purl = new PackageURL(
+        'npm',
+        undefined,
+        'lodash',
+        '4.17.21',
+        undefined,
+        undefined,
+      )
+      expect(matches(pattern, purl)).toBe(false)
+    })
   })
 
   describe('wildcard cache eviction', () => {
@@ -599,6 +637,71 @@ describe('encodeQualifiers edge case', () => {
   })
 })
 
+// ---------------------------------------------------------------------------
+// normalize.ts — non-string key branch in normalizeQualifiers
+// ---------------------------------------------------------------------------
+describe('normalizeQualifiers non-string key handling', () => {
+  it('skips non-string keys surfaced by a custom entries iterator', () => {
+    const rawQualifiers = {
+      entries() {
+        return (
+          [
+            [42, 'ignored'],
+            ['real', 'kept'],
+          ] as unknown as Array<[string, string]>
+        )[Symbol.iterator]()
+      },
+    }
+    const result = normalizeQualifiers(rawQualifiers)
+    expect(result).toEqual({ real: 'kept' })
+  })
+})
+
+// ---------------------------------------------------------------------------
+// purl-types/maven.ts — namespace must not contain a slash
+// ---------------------------------------------------------------------------
+describe('maven namespace slash validation', () => {
+  it('returns false (non-throwing) when maven namespace contains a slash', () => {
+    const validate = (PurlType as any).maven.validate as (
+      purl: Record<string, unknown>,
+      throws: boolean,
+    ) => boolean
+    expect(
+      validate(
+        {
+          type: 'maven',
+          namespace: 'org.apache/commons',
+          name: 'commons-lang3',
+          version: '3.12.0',
+          qualifiers: undefined,
+          subpath: undefined,
+        },
+        false,
+      ),
+    ).toBe(false)
+  })
+
+  it('throws PurlError when validating maven namespace with slash directly', () => {
+    const validate = (PurlType as any).maven.validate as (
+      purl: Record<string, unknown>,
+      throws: boolean,
+    ) => boolean
+    expect(() =>
+      validate(
+        {
+          type: 'maven',
+          namespace: 'org.apache/commons',
+          name: 'commons-lang3',
+          version: '3.12.0',
+          qualifiers: undefined,
+          subpath: undefined,
+        },
+        true,
+      ),
+    ).toThrow(PurlError)
+  })
+})
+
 // ---------------------------------------------------------------------------
 // package-url.ts — flyweight cache eviction in fromString
 // ---------------------------------------------------------------------------