From 6f009fa2f22867f8a5414fa9ef98ca0c72f15be2 Mon Sep 17 00:00:00 2001 From: DayShift <113507098+ShiyuBanzhou@users.noreply.github.com> Date: Thu, 13 Feb 2025 23:12:31 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20ReDos=20=20regex=20vulnerability,=20repo?= =?UTF-8?q?rted=20by=C2=A0@dayshift?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/index.ts | 2 +- test/request-error.test.ts | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/src/index.ts b/src/index.ts index 2626118..d4f4f65 100644 --- a/src/index.ts +++ b/src/index.ts @@ -76,7 +76,7 @@ export class RequestError extends Error { if (options.request.headers.authorization) { requestCopy.headers = Object.assign({}, options.request.headers, { authorization: options.request.headers.authorization.replace( - / .*$/, + /(? { + test("Test ReDoS - attack string", () => { + const startTime = performance.now(); + const error = new RequestError("Oops", 500, { + request: { + method: "POST", + url: "https://api.github.com/foo", + body: { + bar: "baz", + }, + headers: { + authorization: ""+" ".repeat(100000)+"\n@", + }, + }, + response: { + status: 500, + url: "https://api.github.com/foo", + headers: { + "x-github-request-id": "1:2:3:4", + }, + data: { + foo: "bar", + }, + }, + }); + const endTime = performance.now(); + const elapsedTime = endTime - startTime; + const reDosThreshold = 2000; + + expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold); + if (elapsedTime > reDosThreshold) { + console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`); + } + }); + test("inherits from Error", () => { const error = new RequestError("test", 123, mockOptions); expect(error).toBeInstanceOf(Error);