ric/uptime-kuma
1
0
Fork 0
mirror of https://github.com/louislam/uptime-kuma.git synced 2025-02-26 13:35:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix the regular expression in the getDuration method to prevent ReDoS attacks and update error messages in test cases.

Browse source
This commit is contained in:
DayShift 2025-01-22 09:54:05 +08:00
parent 223cde831f
commit 282bfb6c11
2 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
server/modules/apicache/apicache.js
View file

@ -485,7 +485,7 @@ function ApiCache() {
}
if (typeof duration === "string") {
let split = duration.match(/^([\d\.,]+)\s?(\w+)$/);
let split = duration.match(/^([\d\.,]+)\s?((?:(?!\d)\w)+)$/);
if (split.length === 3) {
let len = parseFloat(split[1]);

26
test/backend-test/test-apicache-ReDos.js Normal file
View file

@ -0,0 +1,26 @@
const semver = require("semver");
let test;
const nodeVersion = process.versions.node;
if (semver.satisfies(nodeVersion, ">= 18")) {
test = require("node:test");
} else {
test = require("test");
}
const apicacheModule = require("../../server/modules/apicache/apicache.js");
const assert = require("node:assert");
test("Test ReDos - attack string", async (t) => {
const getDuration = apicacheModule.getDuration;
const str = "" + "00".repeat(100000) + "\u0000";
const startTime = performance.now();
try {
getDuration(str);
} catch (error) {
// pass
}
const endTime = performance.now();
const elapsedTime = endTime - startTime;
const reDosThreshold = 9000;
assert(elapsedTime <= reDosThreshold, `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
});