Merge 7c67daf7cc into 7a9191761d

fix: make sure that stripping backslashes for notification urls cannot cause catastophic backtracking (ReDOS) (#5573 )
Co-authored-by: Frank Elsinga <frank@elsinga.de>
2025-02-25 21:15:55 +00:00 · 2025-01-26 10:52:24 +00:00 · 2025-01-26 11:52:12 +01:00
2 changed files with 3 additions and 2 deletions
--- a/server/notification-providers/pushdeer.js
+++ b/server/notification-providers/pushdeer.js
@ -11,7 +11,8 @@ class PushDeer extends NotificationProvider {
    async send(notification, msg, monitorJSON = null, heartbeatJSON = null) {
        const okMsg = "Sent Successfully.";
        const serverUrl = notification.pushdeerServer || "https://api2.pushdeer.com";
-        const url = `${serverUrl.trim().replace(/\/*$/, "")}/message/push`;
+        // capture group below is nessesary to prevent an ReDOS-attack
        const url = `${serverUrl.trim().replace(/([^/])\/+$/, "$1")}/message/push`;
        let valid = msg != null && monitorJSON != null && heartbeatJSON != null;
--- a/server/notification-providers/whapi.js
+++ b/server/notification-providers/whapi.js
@ -24,7 +24,7 @@ class Whapi extends NotificationProvider {
                "body": msg,
            };
-            let url = (notification.whapiApiUrl || "https://gate.whapi.cloud/").replace(/\/+$/, "") + "/messages/text";
+            let url = (notification.whapiApiUrl || "https://gate.whapi.cloud/").replace(/([^/])\/+$/, "$1") + "/messages/text";
            await axios.post(url, data, config);
Author	SHA1	Message	Date
ceredpl	4f61782e85	Merge `7c67daf7cc` into `7a9191761d`	2025-01-26 10:52:24 +00:00
DayShift	7a9191761d	fix: make sure that stripping backslashes for notification urls cannot cause catastophic backtracking (ReDOS) (#5573 ) Co-authored-by: Frank Elsinga <frank@elsinga.de>	2025-01-26 11:52:12 +01:00