fix(isBase64): replace regex with iterative validation to prevent stack overflow

V8's regex engine uses internal recursion proportional to string length,
causing 'Maximum call stack size exceeded' on large inputs. Replace all
4 regex patterns with iterative character-code validation that runs in
O(n) time with O(1) stack usage.

Closes #2573

Author: easedu

src/lib/isBase64.js

@@ -1,10 +1,18 @@
 import assertString from './util/assertString';
 import merge from './util/merge';
 
-const base64WithPadding = /^[A-Za-z0-9+/]+={0,2}$/;
-const base64WithoutPadding = /^[A-Za-z0-9+/]+$/;
-const base64UrlWithPadding = /^[A-Za-z0-9_-]+={0,2}$/;
-const base64UrlWithoutPadding = /^[A-Za-z0-9_-]+$/;
+function isValidBase64Char(code, urlSafe) {
+  // A-Z (65-90), a-z (97-122), 0-9 (48-57)
+  if ((code >= 65 && code <= 90)
+    || (code >= 97 && code <= 122)
+    || (code >= 48 && code <= 57)) {
+    return true;
+  }
+  if (urlSafe) {
+    return code === 45 || code === 95; // - _
+  }
+  return code === 43 || code === 47; // + /
+}
 
 export default function isBase64(str, options) {
   assertString(str);
@@ -14,12 +22,27 @@ export default function isBase64(str, options) {
 
   if (options.padding && str.length % 4 !== 0) return false;
 
-  let regex;
-  if (options.urlSafe) {
-    regex = options.padding ? base64UrlWithPadding : base64UrlWithoutPadding;
+  if (options.padding) {
+    // Count trailing '=' padding
+    let paddingCount = 0;
+    let len = str.length;
+    while (paddingCount < len && str.charCodeAt(len - 1 - paddingCount) === 61) {
+      paddingCount += 1;
+    }
+    if (paddingCount > 2) return false;
+
+    const dataLen = len - paddingCount;
+    if (dataLen === 0) return false;
+
+    for (let i = 0; i < dataLen; i++) {
+      if (!isValidBase64Char(str.charCodeAt(i), options.urlSafe)) return false;
+    }
   } else {
-    regex = options.padding ? base64WithPadding : base64WithoutPadding;
+    // No padding allowed — all chars must be valid base64
+    for (let i = 0; i < str.length; i++) {
+      if (!isValidBase64Char(str.charCodeAt(i), options.urlSafe)) return false;
+    }
   }
 
-  return (!options.padding || str.length % 4 === 0) && regex.test(str);
+  return true;
 }

test/validators/isBase64.test.js

@@ -198,4 +198,24 @@ describe('isBase64', () => {
       ],
     });
   });
+
+  it('should not cause stack overflow on large strings', () => {
+    // Valid base64 ~1MB
+    const largeValid = Buffer.alloc(1000000).toString('base64');
+    if (!validator.isBase64(largeValid)) {
+      throw new Error('isBase64() failed for a large valid base64 string');
+    }
+
+    // Invalid: large base64 with an invalid character in the middle
+    const largeInvalid = `${largeValid.slice(0, 500000)}!${largeValid.slice(500001)}`;
+    if (validator.isBase64(largeInvalid)) {
+      throw new Error('isBase64() should have failed for a large invalid base64 string');
+    }
+
+    // URL-safe variant
+    const largeUrlSafe = largeValid.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+    if (!validator.isBase64(largeUrlSafe, { urlSafe: true })) {
+      throw new Error('isBase64() failed for a large valid base64url string');
+    }
+  });
 });