ric/uptime-kuma
1
0
Fork 0
mirror of https://github.com/louislam/uptime-kuma.git synced 2025-02-07 12:13:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

fix: make sure that stripping backslashes for notification urls cannot cause catastophic backtracking (ReDOS) (#5573)

Browse source 
Co-authored-by: Frank Elsinga <frank@elsinga.de>
This commit is contained in:
DayShift 2025-01-26 18:52:12 +08:00 committed by GitHub
parent 7dc6191b0a
commit 7a9191761d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
server/notification-providers/pushdeer.js
View file

@ -11,7 +11,8 @@ class PushDeer extends NotificationProvider {
async send(notification, msg, monitorJSON = null, heartbeatJSON = null) { async send(notification, msg, monitorJSON = null, heartbeatJSON = null) {
const okMsg = "Sent Successfully."; const okMsg = "Sent Successfully.";
const serverUrl = notification.pushdeerServer || "https://api2.pushdeer.com"; const serverUrl = notification.pushdeerServer || "https://api2.pushdeer.com";
const url = `${serverUrl.trim().replace(/\/*$/, "")}/message/push`; // capture group below is nessesary to prevent an ReDOS-attack
const url = `${serverUrl.trim().replace(/([^/])\/+$/, "$1")}/message/push`;
let valid = msg != null && monitorJSON != null && heartbeatJSON != null; let valid = msg != null && monitorJSON != null && heartbeatJSON != null;

2
server/notification-providers/whapi.js
View file

@ -24,7 +24,7 @@ class Whapi extends NotificationProvider {
"body": msg, "body": msg,
}; };
let url = (notification.whapiApiUrl || "https://gate.whapi.cloud/").replace(/\/+$/, "") + "/messages/text"; let url = (notification.whapiApiUrl || "https://gate.whapi.cloud/").replace(/([^/])\/+$/, "$1") + "/messages/text";
await axios.post(url, data, config); await axios.post(url, data, config);