Merge pull request from GHSA-r6ch-mqf9-qc9w

Trott · mcollina · web-flow · commit f2324e549943 · 2023-02-13T12:23:21.000+01:00
Refs: https://hackerone.com/bugs?report_id=1784449 Co-authored-by: Matteo Collina <hello@matteocollina.com>
diff --git a/lib/fetch/headers.js b/lib/fetch/headers.js
@@ -24,10 +24,12 @@ function headerValueNormalize (potentialValue) {
   //  To normalize a byte sequence potentialValue, remove
   //  any leading and trailing HTTP whitespace bytes from
   //  potentialValue.
-  return potentialValue.replace(
-    /^[\r\n\t ]+|[\r\n\t ]+$/g,
-    ''
-  )
+
+  // Trimming the end with `.replace()` and a RegExp is typically subject to
+  // ReDoS. This is safer and faster.
+  let i = potentialValue.length
+  while (/[\r\n\t ]/.test(potentialValue.charAt(--i)));
+  return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '')
 }
 
 function fill (headers, object) {
diff --git a/test/fetch/headers.js b/test/fetch/headers.js
@@ -666,6 +666,18 @@ tap.test('invalid headers', (t) => {
   t.end()
 })
 
+tap.test('headers that might cause a ReDoS', (t) => {
+  t.doesNotThrow(() => {
+    // This test will time out if the ReDoS attack is successful.
+    const headers = new Headers()
+    const attack = 'a' + '\t'.repeat(500_000) + '\ta'
+    headers.append('fhqwhgads', attack)
+  })
+
+  t.end()
+})
+
+
 tap.test('Headers.prototype.getSetCookie', (t) => {
   t.test('Mutating the returned list does not affect the set-cookie list', (t) => {
     const h = new Headers([
@@ -682,4 +694,4 @@ tap.test('Headers.prototype.getSetCookie', (t) => {
   })
 
   t.end()
-})
+})
