Fix the regular expression in the getDuration method to prevent ReDoS attacks and update error messages in test cases.

2025-04-02 06:22:20 +00:00 · 2025-01-19 22:20:07 +08:00 · 2025-01-19 22:20:07 +08:00 · b3d6d45122
commit b3d6d45122
parent 78874f2d76
2 changed files with 7 additions and 3 deletions
--- a/server/modules/apicache/apicache.js
+++ b/server/modules/apicache/apicache.js
@ -485,7 +485,7 @@ function ApiCache() {
        }

        if (typeof duration === "string") {
-            let split = duration.match(/^([\d\.,]+)\s?(\w+)$/);
+            let split = duration.match(/^([\d\.,]+)(?!\1)\s?((?:(?!\d)\w)+)$/);

            if (split.length === 3) {
                let len = parseFloat(split[1]);
--- a/test/backend-test/test-apicache-ReDos.js
+++ b/test/backend-test/test-apicache-ReDos.js
@ -14,9 +14,13 @@ test("Test ReDos - attack string", async (t) => {
  const getDuration = apicacheModule.getDuration;
  const str = "" + "00".repeat(100000) + "\u0000";
  const startTime = performance.now();
-  getDuration(str);
+  try {
+    getDuration(str);
+  } catch (error) {
+    // pass
+  }
  const endTime = performance.now();
  const elapsedTime = endTime - startTime;
  const reDosThreshold = 9000;
-  assert(elapsedTime <= reDosThreshold, `🚨 可能存在 ReDoS 攻击！getDuration 方法耗时 ${elapsedTime.toFixed(2)} 毫秒，超过阈值 ${reDosThreshold} 毫秒。`);
+  assert(elapsedTime <= reDosThreshold, `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
 });