TyleoDvDelaware3217/Kuma
1
0
Fork 0
mirror of https://github.com/louislam/uptime-kuma.git synced 2025-06-05 04:42:34 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix the regular expression in the getDuration method to prevent ReDoS attacks and update error messages in test cases.

Browse source
This commit is contained in:
SuperMaxine 2025-01-19 22:20:07 +08:00
parent 78874f2d76
commit b3d6d45122
2 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
server/modules/apicache/apicache.js
View file

@ -485,7 +485,7 @@ function ApiCache() {
} }
if (typeof duration === "string") { if (typeof duration === "string") {
let split = duration.match(/^([\d\.,]+)\s?(\w+)$/); let split = duration.match(/^([\d\.,]+)(?!\1)\s?((?:(?!\d)\w)+)$/);
if (split.length === 3) { if (split.length === 3) {
let len = parseFloat(split[1]); let len = parseFloat(split[1]);

8
test/backend-test/test-apicache-ReDos.js
View file

@ -14,9 +14,13 @@ test("Test ReDos - attack string", async (t) => {
const getDuration = apicacheModule.getDuration; const getDuration = apicacheModule.getDuration;
const str = "" + "00".repeat(100000) + "\u0000"; const str = "" + "00".repeat(100000) + "\u0000";
const startTime = performance.now(); const startTime = performance.now();
getDuration(str); try {
getDuration(str);
} catch (error) {
// pass
}
const endTime = performance.now(); const endTime = performance.now();
const elapsedTime = endTime - startTime; const elapsedTime = endTime - startTime;
const reDosThreshold = 9000; const reDosThreshold = 9000;
assert(elapsedTime <= reDosThreshold, `🚨 可能存在 ReDoS 攻击getDuration 方法耗时 ${elapsedTime.toFixed(2)} 毫秒,超过阈值 ${reDosThreshold} 毫秒。`); assert(elapsedTime <= reDosThreshold, `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
}); });