Merge commit from fork

nickfloyd · ShiyuBanzhou · web-flow · commit 6c9c5be033c4 · 2025-02-13T09:11:12.000-06:00
* Fix regular term vulnerability

* add test to prevent future regressions

* Fix the other regular term vulnerability

* Trigger Build

---------

Co-authored-by: DayShift &lt;113507098+ShiyuBanzhou@users.noreply.github.com&gt;
Co-authored-by: DayShift &lt;2922897389@qq.com&gt;
diff --git a/src/parse.ts b/src/parse.ts
@@ -59,7 +59,7 @@ export function parse(options: EndpointDefaults): RequestOptions {
     if (url.endsWith("/graphql")) {
       if (options.mediaType.previews?.length) {
         const previewsFromAcceptHeader =
-          headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);
+          headers.accept.match(/(?<![\w-])[\w-]+(?=-preview)/g) || ([] as string[]);
         headers.accept = previewsFromAcceptHeader
           .concat(options.mediaType.previews!)
           .map((preview) => {
diff --git a/src/util/extract-url-variable-names.ts b/src/util/extract-url-variable-names.ts
@@ -1,7 +1,7 @@
-const urlVariableRegex = /\{[^}]+\}/g;
+const urlVariableRegex = /\{[^{}}]+\}/g;
 
 function removeNonChars(variableName: string) {
-  return variableName.replace(/^\W+|\W+$/g, "").split(/,/);
+  return variableName.replace(/(?:^\W+)|(?:(?<!\W)\W+$)/g, "").split(/,/);
 }
 
 export function extractUrlVariableNames(url: string) {
diff --git a/test/parse.test.ts b/test/parse.test.ts
@@ -52,4 +52,94 @@ describe("endpoint.parse()", () => {
 
     expect(input.headers.accept).toEqual("application/vnd.github.v3+json");
   });
+
+  it("Test ReDoS - attack string #1", async () => {
+    const startTime = performance.now();
+    try {
+      endpoint.parse({
+        method: "POST",
+        url: "/graphql", // Ensure that the URL ends with "/graphql"
+        headers: {
+          accept: "" + "A".repeat(100000) + "-", // Pass in the attack string
+          "content-type": "text/plain",
+          "user-agent": "Your User Agent String Here",
+        },
+        mediaType: {
+          previews: ["test-preview"], // Ensure that mediaType.previews exists and has values
+          format: "raw", // Optional media format
+        },
+        baseUrl: "https://api.github.com",
+      });
+    } catch (error) {
+      // pass
+    }
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000; 
+
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
+    }
+  });
+
+  it("Test ReDoS - attack string #2", async () => {
+    const startTime = performance.now();
+    try {
+      endpoint.parse({
+        method: "POST",
+        url: "{".repeat(100000) + "@", // Pass in the attack string
+        headers: {
+          accept: "application/vnd.github.v3+json",
+          "content-type": "text/plain",
+          "user-agent": "Your User Agent String Here",
+        },
+        mediaType: {
+          previews: ["test-preview"], // Ensure that mediaType.previews exists and has values
+          format: "raw", // Optional media format
+        },
+        baseUrl: "https://api.github.com",
+      });
+    } catch (error) {
+      // pass
+    }
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000; 
+
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
+    }
+  });
+
+  it("Test ReDoS - attack string #3", async () => {
+    const startTime = performance.now();
+    try {
+      endpoint.parse({
+        method: "POST",
+        url: "{"+"00"+"\u0000".repeat(100000)+"a!a"+"}", // Pass in the attack string
+        headers: {
+          accept: "application/vnd.github.v3+json",
+          "content-type": "text/plain",
+          "user-agent": "Your User Agent String Here",
+        },
+        mediaType: {
+          previews: ["test-preview"],
+          format: "raw",
+        },
+        baseUrl: "https://api.github.com",
+      });
+    } catch (error) {
+      // pass
+    }
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000; 
+
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
+    }
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`		`-const urlVariableRegex = /\{[^}]+\}/g;`
	`1`	`+const urlVariableRegex = /\{[^{}}]+\}/g;`
`2`	`2`
`3`	`3`	`function removeNonChars(variableName: string) {`
`4`		`- return variableName.replace(/^\W+\|\W+$/g, "").split(/,/);`
	`4`	`+ return variableName.replace(/(?:^\W+)\|(?:(?<!\W)\W+$)/g, "").split(/,/);`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`export function extractUrlVariableNames(url: string) {`