diff --git a/package-lock.json b/package-lock.json index 03bb8082e..d66c5338e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,8 +9,8 @@ "version": "0.0.0-development", "license": "MIT", "dependencies": { - "@octokit/endpoint": "^9.0.1", - "@octokit/request-error": "^5.1.0", + "@octokit/endpoint": "^9.0.6", + "@octokit/request-error": "^5.1.1", "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" }, @@ -1572,9 +1572,10 @@ } }, "node_modules/@octokit/endpoint": { - "version": "9.0.5", - "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.5.tgz", - "integrity": "sha512-ekqR4/+PCLkEBF6qgj8WqJfvDq65RH85OAgrtnVp1mSxaXF03u2xW/hUdweGS5654IlC0wkNYC18Z50tSYTAFw==", + "version": "9.0.6", + "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz", + "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==", + "license": "MIT", "dependencies": { "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" @@ -1640,9 +1641,10 @@ } }, "node_modules/@octokit/request-error": { - "version": "5.1.0", - "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.0.tgz", - "integrity": "sha512-GETXfE05J0+7H2STzekpKObFe765O5dlAKUTLNGeH+x47z7JjXHfsHKo5z21D/o/IOZTUEI6nyWyR+bZVP/n5Q==", + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.1.tgz", + "integrity": "sha512-v9iyEQJH6ZntoENr9/yXxjuezh4My67CBSu9r6Ve/05Iu5gNgnisNWOsoJHTP6k0Rr0+HQIpnH+kyammu90q/g==", + "license": "MIT", "dependencies": { "@octokit/types": "^13.1.0", "deprecation": "^2.0.0", diff --git a/package.json b/package.json index 1024464b4..41c525f0f 100644 --- a/package.json +++ b/package.json @@ -23,8 +23,8 @@ "author": "Gregor Martynus (https://github.com/gr2m)", "license": "MIT", "dependencies": { - "@octokit/endpoint": "^9.0.1", - "@octokit/request-error": "^5.1.0", + "@octokit/endpoint": "^9.0.6", + "@octokit/request-error": "^5.1.1", "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" }, diff --git a/src/fetch-wrapper.ts b/src/fetch-wrapper.ts index 9b32d76a1..9b966bb44 100644 --- a/src/fetch-wrapper.ts +++ b/src/fetch-wrapper.ts @@ -56,7 +56,7 @@ export default function fetchWrapper( if ("deprecation" in headers) { const matches = - headers.link && headers.link.match(/<([^>]+)>; rel="deprecation"/); + headers.link && headers.link.match(/<([^<>]+)>; rel="deprecation"/); const deprecationLink = matches && matches.pop(); log.warn( `[@octokit/request] "${requestOptions.method} ${ diff --git a/test/request.test.ts b/test/request.test.ts index f29f783cf..674510c49 100644 --- a/test/request.test.ts +++ b/test/request.test.ts @@ -18,6 +18,33 @@ const userAgent = `octokit-request.js/0.0.0-development ${getUserAgent()}`; const stringToArrayBuffer = require("string-to-arraybuffer"); describe("request()", () => { + it("Test ReDoS - attack string", () => { + const fakeFetch = async (url: string, options?: RequestInit) => { + const response = await fetch(url, options); + const fakeHeaders = new Headers(response.headers); + fakeHeaders.set("link", "<".repeat(100000) + ">"); + fakeHeaders.set("deprecation", "true"); + return new Response(response.body, { + status: response.status, + statusText: response.statusText, + headers: fakeHeaders, + }); + }; + const startTime = performance.now(); + request("GET /repos/octocat/hello-world", { + request: { fetch: fakeFetch }, + }); + const endTime = performance.now(); + const elapsedTime = endTime - startTime; + const reDosThreshold = 2000; + expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold); + if (elapsedTime > reDosThreshold) { + console.warn( + `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`, + ); + } + }); + it("is a function", () => { expect(request).toBeInstanceOf(Function); });