From 2d189b98d745058f804af27acd7ac1d0c5e1adae Mon Sep 17 00:00:00 2001 From: wolfy1339 Date: Fri, 14 Feb 2025 17:30:38 -0500 Subject: [PATCH 1/5] fix: ReDos regex vulnerability, reported by @DayShift --- src/fetch-wrapper.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fetch-wrapper.ts b/src/fetch-wrapper.ts index 9b32d76a1..9b966bb44 100644 --- a/src/fetch-wrapper.ts +++ b/src/fetch-wrapper.ts @@ -56,7 +56,7 @@ export default function fetchWrapper( if ("deprecation" in headers) { const matches = - headers.link && headers.link.match(/<([^>]+)>; rel="deprecation"/); + headers.link && headers.link.match(/<([^<>]+)>; rel="deprecation"/); const deprecationLink = matches && matches.pop(); log.warn( `[@octokit/request] "${requestOptions.method} ${ From 575392f1373d78cd6f84c09ae563c7297eac1882 Mon Sep 17 00:00:00 2001 From: wolfy1339 Date: Fri, 14 Feb 2025 17:30:51 -0500 Subject: [PATCH 2/5] test: ReDos regex vulnerability, reported by @dayshift --- test/request.test.ts | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/test/request.test.ts b/test/request.test.ts index f29f783cf..ab3272624 100644 --- a/test/request.test.ts +++ b/test/request.test.ts @@ -18,6 +18,30 @@ const userAgent = `octokit-request.js/0.0.0-development ${getUserAgent()}`; const stringToArrayBuffer = require("string-to-arraybuffer"); describe("request()", () => { + it("Test ReDoS - attack string", () => { + const originalFetch = globalThis.fetch; + globalThis.fetch = async (url, options) => { + const response = await originalFetch(url, options); + const fakeHeaders = new Headers(response.headers); + fakeHeaders.set("link", "<".repeat(100000) + ">"); + fakeHeaders.set("deprecation", "true"); + return new Response(response.body, { + status: response.status, + statusText: response.statusText, + headers: fakeHeaders + }); + }; + const startTime = performance.now(); + request("GET /repos/octocat/hello-world"); + const endTime = performance.now(); + const elapsedTime = endTime - startTime; + const reDosThreshold = 2000; + expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold); + if (elapsedTime > reDosThreshold) { + console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`); + } + }); + it("is a function", () => { expect(request).toBeInstanceOf(Function); }); From 28c09b5b85c6d2ed3edb3aa2f9a337c4fb67c231 Mon Sep 17 00:00:00 2001 From: wolfy1339 Date: Fri, 14 Feb 2025 17:31:18 -0500 Subject: [PATCH 3/5] fix: update Octokit dependencies to mitigate ReDos --- package-lock.json | 18 ++++++++++-------- package.json | 4 ++-- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index 03bb8082e..d66c5338e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,8 +9,8 @@ "version": "0.0.0-development", "license": "MIT", "dependencies": { - "@octokit/endpoint": "^9.0.1", - "@octokit/request-error": "^5.1.0", + "@octokit/endpoint": "^9.0.6", + "@octokit/request-error": "^5.1.1", "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" }, @@ -1572,9 +1572,10 @@ } }, "node_modules/@octokit/endpoint": { - "version": "9.0.5", - "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.5.tgz", - "integrity": "sha512-ekqR4/+PCLkEBF6qgj8WqJfvDq65RH85OAgrtnVp1mSxaXF03u2xW/hUdweGS5654IlC0wkNYC18Z50tSYTAFw==", + "version": "9.0.6", + "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz", + "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==", + "license": "MIT", "dependencies": { "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" @@ -1640,9 +1641,10 @@ } }, "node_modules/@octokit/request-error": { - "version": "5.1.0", - "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.0.tgz", - "integrity": "sha512-GETXfE05J0+7H2STzekpKObFe765O5dlAKUTLNGeH+x47z7JjXHfsHKo5z21D/o/IOZTUEI6nyWyR+bZVP/n5Q==", + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.1.tgz", + "integrity": "sha512-v9iyEQJH6ZntoENr9/yXxjuezh4My67CBSu9r6Ve/05Iu5gNgnisNWOsoJHTP6k0Rr0+HQIpnH+kyammu90q/g==", + "license": "MIT", "dependencies": { "@octokit/types": "^13.1.0", "deprecation": "^2.0.0", diff --git a/package.json b/package.json index 1024464b4..41c525f0f 100644 --- a/package.json +++ b/package.json @@ -23,8 +23,8 @@ "author": "Gregor Martynus (https://github.com/gr2m)", "license": "MIT", "dependencies": { - "@octokit/endpoint": "^9.0.1", - "@octokit/request-error": "^5.1.0", + "@octokit/endpoint": "^9.0.6", + "@octokit/request-error": "^5.1.1", "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" }, From a7cd2006f3efd32fc810067a43b387adde7e0e4e Mon Sep 17 00:00:00 2001 From: wolfy1339 Date: Fri, 14 Feb 2025 17:35:33 -0500 Subject: [PATCH 4/5] test: remove global pollution --- test/request.test.ts | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/test/request.test.ts b/test/request.test.ts index ab3272624..581fc19d0 100644 --- a/test/request.test.ts +++ b/test/request.test.ts @@ -18,27 +18,30 @@ const userAgent = `octokit-request.js/0.0.0-development ${getUserAgent()}`; const stringToArrayBuffer = require("string-to-arraybuffer"); describe("request()", () => { - it("Test ReDoS - attack string", () => { - const originalFetch = globalThis.fetch; - globalThis.fetch = async (url, options) => { - const response = await originalFetch(url, options); + it("Test ReDoS - attack string", () => { + const fakeFetch = async (url, options) => { + const response = await fetch(url, options); const fakeHeaders = new Headers(response.headers); fakeHeaders.set("link", "<".repeat(100000) + ">"); fakeHeaders.set("deprecation", "true"); return new Response(response.body, { status: response.status, statusText: response.statusText, - headers: fakeHeaders + headers: fakeHeaders, }); }; const startTime = performance.now(); - request("GET /repos/octocat/hello-world"); + request("GET /repos/octocat/hello-world", { + request: { fetch: fakeFetch }, + }); const endTime = performance.now(); const elapsedTime = endTime - startTime; - const reDosThreshold = 2000; + const reDosThreshold = 2000; expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold); if (elapsedTime > reDosThreshold) { - console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`); + console.warn( + `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`, + ); } }); From c35f2bd72c00c3f4179b4868232bb381ef91a1ff Mon Sep 17 00:00:00 2001 From: wolfy1339 Date: Fri, 14 Feb 2025 17:37:35 -0500 Subject: [PATCH 5/5] test: add missing types --- test/request.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/request.test.ts b/test/request.test.ts index 581fc19d0..674510c49 100644 --- a/test/request.test.ts +++ b/test/request.test.ts @@ -19,7 +19,7 @@ const stringToArrayBuffer = require("string-to-arraybuffer"); describe("request()", () => { it("Test ReDoS - attack string", () => { - const fakeFetch = async (url, options) => { + const fakeFetch = async (url: string, options?: RequestInit) => { const response = await fetch(url, options); const fakeHeaders = new Headers(response.headers); fakeHeaders.set("link", "<".repeat(100000) + ">");