From 282bfb6c1129224b9ec477342371c0b6cb569d6e Mon Sep 17 00:00:00 2001
From: DayShift <2922897389@qq.com>
Date: Wed, 22 Jan 2025 09:54:05 +0800
Subject: [PATCH] Fix the regular expression in the getDuration method to
 prevent ReDoS attacks and update error messages in test cases.

---
 server/modules/apicache/apicache.js      |  2 +-
 test/backend-test/test-apicache-ReDos.js | 26 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 test/backend-test/test-apicache-ReDos.js

diff --git a/server/modules/apicache/apicache.js b/server/modules/apicache/apicache.js
index 41930b24d..58f5e1971 100644
--- a/server/modules/apicache/apicache.js
+++ b/server/modules/apicache/apicache.js
@@ -485,7 +485,7 @@ function ApiCache() {
         }
 
         if (typeof duration === "string") {
-            let split = duration.match(/^([\d\.,]+)\s?(\w+)$/);
+            let split = duration.match(/^([\d\.,]+)\s?((?:(?!\d)\w)+)$/);
 
             if (split.length === 3) {
                 let len = parseFloat(split[1]);
diff --git a/test/backend-test/test-apicache-ReDos.js b/test/backend-test/test-apicache-ReDos.js
new file mode 100644
index 000000000..cfaa79e9a
--- /dev/null
+++ b/test/backend-test/test-apicache-ReDos.js
@@ -0,0 +1,26 @@
+const semver = require("semver");
+let test;
+const nodeVersion = process.versions.node;
+if (semver.satisfies(nodeVersion, ">= 18")) {
+    test = require("node:test");
+} else {
+    test = require("test");
+}
+const apicacheModule = require("../../server/modules/apicache/apicache.js");
+
+const assert = require("node:assert");
+
+test("Test ReDos - attack string", async (t) => {
+    const getDuration = apicacheModule.getDuration;
+    const str = "" + "00".repeat(100000) + "\u0000";
+    const startTime = performance.now();
+    try {
+        getDuration(str);
+    } catch (error) {
+    // pass
+    }
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 9000;
+    assert(elapsedTime <= reDosThreshold, `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
+});