Skip to content

Commit 356411e

Browse files
wolfy1339wolfy1339
authored
fix: ReDos regex vulnerability, reported by @dayshift (#741)
1 parent abc4955 commit 356411e

4 files changed

Lines changed: 40 additions & 11 deletions

File tree

package-lock.json

Lines changed: 10 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,8 @@
2323
"author": "Gregor Martynus (https://github.com/gr2m)",
2424
"license": "MIT",
2525
"dependencies": {
26-
"@octokit/endpoint": "^9.0.1",
27-
"@octokit/request-error": "^5.1.0",
26+
"@octokit/endpoint": "^9.0.6",
27+
"@octokit/request-error": "^5.1.1",
2828
"@octokit/types": "^13.1.0",
2929
"universal-user-agent": "^6.0.0"
3030
},

src/fetch-wrapper.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ export default function fetchWrapper(
5656

5757
if ("deprecation" in headers) {
5858
const matches =
59-
headers.link && headers.link.match(/<([^>]+)>; rel="deprecation"/);
59+
headers.link && headers.link.match(/<([^<>]+)>; rel="deprecation"/);
6060
const deprecationLink = matches && matches.pop();
6161
log.warn(
6262
`[@octokit/request] "${requestOptions.method} ${

test/request.test.ts

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,33 @@ const userAgent = `octokit-request.js/0.0.0-development ${getUserAgent()}`;
1818
const stringToArrayBuffer = require("string-to-arraybuffer");
1919

2020
describe("request()", () => {
21+
it("Test ReDoS - attack string", () => {
22+
const fakeFetch = async (url: string, options?: RequestInit) => {
23+
const response = await fetch(url, options);
24+
const fakeHeaders = new Headers(response.headers);
25+
fakeHeaders.set("link", "<".repeat(100000) + ">");
26+
fakeHeaders.set("deprecation", "true");
27+
return new Response(response.body, {
28+
status: response.status,
29+
statusText: response.statusText,
30+
headers: fakeHeaders,
31+
});
32+
};
33+
const startTime = performance.now();
34+
request("GET /repos/octocat/hello-world", {
35+
request: { fetch: fakeFetch },
36+
});
37+
const endTime = performance.now();
38+
const elapsedTime = endTime - startTime;
39+
const reDosThreshold = 2000;
40+
expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
41+
if (elapsedTime > reDosThreshold) {
42+
console.warn(
43+
`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`,
44+
);
45+
}
46+
});
47+
2148
it("is a function", () => {
2249
expect(request).toBeInstanceOf(Function);
2350
});

0 commit comments

Comments
 (0)