Skip to content

Commit

Permalink
Merge pull request from GHSA-r6ch-mqf9-qc9w
Browse files Browse the repository at this point in the history
Refs: https://hackerone.com/bugs?report_id=1784449

Co-authored-by: Matteo Collina <hello@matteocollina.com>
  • Loading branch information
Trott and mcollina authored Feb 13, 2023
1 parent a2eff05 commit f2324e5
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 5 deletions.
10 changes: 6 additions & 4 deletions lib/fetch/headers.js
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,12 @@ function headerValueNormalize (potentialValue) {
// To normalize a byte sequence potentialValue, remove
// any leading and trailing HTTP whitespace bytes from
// potentialValue.
return potentialValue.replace(
/^[\r\n\t ]+|[\r\n\t ]+$/g,
''
)

// Trimming the end with `.replace()` and a RegExp is typically subject to
// ReDoS. This is safer and faster.
let i = potentialValue.length
while (/[\r\n\t ]/.test(potentialValue.charAt(--i)));
return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '')
}

function fill (headers, object) {
Expand Down
14 changes: 13 additions & 1 deletion test/fetch/headers.js
Original file line number Diff line number Diff line change
Expand Up @@ -666,6 +666,18 @@ tap.test('invalid headers', (t) => {
t.end()
})

tap.test('headers that might cause a ReDoS', (t) => {
t.doesNotThrow(() => {
// This test will time out if the ReDoS attack is successful.
const headers = new Headers()
const attack = 'a' + '\t'.repeat(500_000) + '\ta'
headers.append('fhqwhgads', attack)
})

t.end()
})


tap.test('Headers.prototype.getSetCookie', (t) => {
t.test('Mutating the returned list does not affect the set-cookie list', (t) => {
const h = new Headers([
Expand All @@ -682,4 +694,4 @@ tap.test('Headers.prototype.getSetCookie', (t) => {
})

t.end()
})
})

0 comments on commit f2324e5

Please sign in to comment.