fix: ReDos regex vulnerability, reported by @dayshift (#515)

gr2m · web-flow · commit 599ff4f76534 · 2025-02-14T13:30:16.000-08:00
diff --git a/src/parse.ts b/src/parse.ts
@@ -59,7 +59,8 @@ export function parse(options: EndpointDefaults): RequestOptions {
     if (url.endsWith("/graphql")) {
       if (options.mediaType.previews?.length) {
         const previewsFromAcceptHeader =
-          headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);
+          headers.accept.match(/(?<![\w-])[\w-]+(?=-preview)/g) ||
+          ([] as string[]);
         headers.accept = previewsFromAcceptHeader
           .concat(options.mediaType.previews!)
           .map((preview) => {
diff --git a/src/util/extract-url-variable-names.ts b/src/util/extract-url-variable-names.ts
@@ -1,7 +1,7 @@
-const urlVariableRegex = /\{[^}]+\}/g;
+const urlVariableRegex = /\{[^{}}]+\}/g;
 
 function removeNonChars(variableName: string) {
-  return variableName.replace(/^\W+|\W+$/g, "").split(/,/);
+  return variableName.replace(/(?:^\W+)|(?:(?<!\W)\W+$)/g, "").split(/,/);
 }
 
 export function extractUrlVariableNames(url: string) {
diff --git a/test/parse.test.ts b/test/parse.test.ts
@@ -51,4 +51,106 @@ describe("endpoint.parse()", () => {
 
     expect(input.headers.accept).toEqual("application/vnd.github.v3+json");
   });
+
+  it("Test ReDoS - attack string #1", async () => {
+    const startTime = performance.now();
+    try {
+      endpoint.parse({
+        method: "POST",
+        url: "/graphql", // Ensure that the URL ends with "/graphql"
+        headers: {
+          accept: "" + "A".repeat(100000) + "-", // Pass in the attack string
+          "content-type": "text/plain",
+          "user-agent": "Your User Agent String Here",
+        },
+        mediaType: {
+          previews: ["test-preview"], // Ensure that mediaType.previews exists and has values
+          format: "raw", // Optional media format
+        },
+        baseUrl: "https://api.github.com",
+      });
+    } catch (error) {
+      // pass
+    }
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000;
+
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(
+        `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(
+          2,
+        )} ms, exceeding threshold of ${reDosThreshold} ms.`,
+      );
+    }
+  });
+
+  it("Test ReDoS - attack string #2", async () => {
+    const startTime = performance.now();
+    try {
+      endpoint.parse({
+        method: "POST",
+        url: "{".repeat(100000) + "@", // Pass in the attack string
+        headers: {
+          accept: "application/vnd.github.v3+json",
+          "content-type": "text/plain",
+          "user-agent": "Your User Agent String Here",
+        },
+        mediaType: {
+          previews: ["test-preview"], // Ensure that mediaType.previews exists and has values
+          format: "raw", // Optional media format
+        },
+        baseUrl: "https://api.github.com",
+      });
+    } catch (error) {
+      // pass
+    }
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000;
+
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(
+        `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(
+          2,
+        )} ms, exceeding threshold of ${reDosThreshold} ms.`,
+      );
+    }
+  });
+
+  it("Test ReDoS - attack string #3", async () => {
+    const startTime = performance.now();
+    try {
+      endpoint.parse({
+        method: "POST",
+        url: "{" + "00" + "\u0000".repeat(100000) + "a!a" + "}", // Pass in the attack string
+        headers: {
+          accept: "application/vnd.github.v3+json",
+          "content-type": "text/plain",
+          "user-agent": "Your User Agent String Here",
+        },
+        mediaType: {
+          previews: ["test-preview"],
+          format: "raw",
+        },
+        baseUrl: "https://api.github.com",
+      });
+    } catch (error) {
+      // pass
+    }
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000;
+
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(
+        `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(
+          2,
+        )} ms, exceeding threshold of ${reDosThreshold} ms.`,
+      );
+    }
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`		`-const urlVariableRegex = /\{[^}]+\}/g;`
	`1`	`+const urlVariableRegex = /\{[^{}}]+\}/g;`
`2`	`2`
`3`	`3`	`function removeNonChars(variableName: string) {`
`4`		`- return variableName.replace(/^\W+\|\W+$/g, "").split(/,/);`
	`4`	`+ return variableName.replace(/(?:^\W+)\|(?:(?<!\W)\W+$)/g, "").split(/,/);`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`export function extractUrlVariableNames(url: string) {`