From 97731871e674bf93bcbf29e9d3258da8685f3076 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Thu, 17 Jul 2025 02:18:36 +0800 Subject: [PATCH 1/6] Update hosted-git-resolver.js --- src/resolvers/exotics/hosted-git-resolver.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/resolvers/exotics/hosted-git-resolver.js b/src/resolvers/exotics/hosted-git-resolver.js index 83d4ab20b0..aa6ab043da 100644 --- a/src/resolvers/exotics/hosted-git-resolver.js +++ b/src/resolvers/exotics/hosted-git-resolver.js @@ -30,8 +30,9 @@ export function explodeHostedGitFragment(fragment: string, reporter: Reporter): } const parts = fragment - .replace(/(.*?)#.*/, '$1') // Strip hash - .replace(/.*:(.*)/, '$1') // Strip prefixed protocols + .split('#', 1)[0] + .split(':') + .pop() .replace(/.git$/, '') // Strip the .git suffix .split('/'); From af396d504054051b5ccf529369746f600e8ca4fa Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Thu, 17 Jul 2025 02:19:28 +0800 Subject: [PATCH 2/6] Update hosted-git-resolver.js --- __tests__/resolvers/exotics/hosted-git-resolver.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/__tests__/resolvers/exotics/hosted-git-resolver.js b/__tests__/resolvers/exotics/hosted-git-resolver.js index 403e14374a..260b26ebf2 100644 --- a/__tests__/resolvers/exotics/hosted-git-resolver.js +++ b/__tests__/resolvers/exotics/hosted-git-resolver.js @@ -28,3 +28,13 @@ const reporter = new reporters.NoopReporter({}); expect(explodeHostedGitFragment(fragment, reporter).hash).toEqual(hash); }); }); +describe('explodeHostedGitFragment DOS vulnerability test', () => { + const MAX_MS = 200; + test('long fragment without # should finish quickly and throw', () => { + const longFragment = '' + '\u0000'.repeat(100000) + '\u0000'; + const start = Date.now(); + expect(() => explodeHostedGitFragment(longFragment, reporter)).toThrow(); + const duration = Date.now() - start; + expect(duration).toBeLessThan(MAX_MS); + }); +}); From 648bdf10a1cad519dc71d9531d5f9af4120e2f8c Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 13 Aug 2025 10:03:42 +0800 Subject: [PATCH 3/6] Update hosted-git-resolver.js --- src/resolvers/exotics/hosted-git-resolver.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/resolvers/exotics/hosted-git-resolver.js b/src/resolvers/exotics/hosted-git-resolver.js index aa6ab043da..83d4ab20b0 100644 --- a/src/resolvers/exotics/hosted-git-resolver.js +++ b/src/resolvers/exotics/hosted-git-resolver.js @@ -30,9 +30,8 @@ export function explodeHostedGitFragment(fragment: string, reporter: Reporter): } const parts = fragment - .split('#', 1)[0] - .split(':') - .pop() + .replace(/(.*?)#.*/, '$1') // Strip hash + .replace(/.*:(.*)/, '$1') // Strip prefixed protocols .replace(/.git$/, '') // Strip the .git suffix .split('/'); From fc91b1035f57da75e328656fedd0ff4ab398bcd1 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 13 Aug 2025 10:04:55 +0800 Subject: [PATCH 4/6] Update hosted-git-resolver.js --- __tests__/resolvers/exotics/hosted-git-resolver.js | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/__tests__/resolvers/exotics/hosted-git-resolver.js b/__tests__/resolvers/exotics/hosted-git-resolver.js index 260b26ebf2..403e14374a 100644 --- a/__tests__/resolvers/exotics/hosted-git-resolver.js +++ b/__tests__/resolvers/exotics/hosted-git-resolver.js @@ -28,13 +28,3 @@ const reporter = new reporters.NoopReporter({}); expect(explodeHostedGitFragment(fragment, reporter).hash).toEqual(hash); }); }); -describe('explodeHostedGitFragment DOS vulnerability test', () => { - const MAX_MS = 200; - test('long fragment without # should finish quickly and throw', () => { - const longFragment = '' + '\u0000'.repeat(100000) + '\u0000'; - const start = Date.now(); - expect(() => explodeHostedGitFragment(longFragment, reporter)).toThrow(); - const duration = Date.now() - start; - expect(duration).toBeLessThan(MAX_MS); - }); -}); From c97b5aa07b05b47bae4c489d34dcb961d27eb9a9 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 13 Aug 2025 11:47:14 +0800 Subject: [PATCH 5/6] Update request-manager.js --- __tests__/util/request-manager.js | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/__tests__/util/request-manager.js b/__tests__/util/request-manager.js index be9b964653..83780c2733 100644 --- a/__tests__/util/request-manager.js +++ b/__tests__/util/request-manager.js @@ -308,3 +308,24 @@ test('RequestManager.saveHar no captureHar error message', async () => { expect(err.message).toBe('RequestManager was not setup to capture HAR files'); } }); + +test('Regex Dos', () => { + const nativeFs = require('fs'); + const os = require('os'); + + const bundle = '' + '-----BEGIN '.repeat(50000) + '\r'; + const tmp = path.join(os.tmpdir(), `cafile-${Date.now()}.pem`); + nativeFs.writeFileSync(tmp, bundle, 'utf8'); + + const rm = new RequestManager((new Reporter(): any)); + + const start = Date.now(); + rm.setOptions({userAgent: 'ua/1.0', strictSSL: false, cafile: tmp}); + const duration = Date.now() - start; + + expect(duration).toBeLessThan(3000); + + try { + nativeFs.unlinkSync(tmp); + } catch (_) {} +}); From f54fa0f0e0cdec16583b572dec679c9fbf9073a4 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 13 Aug 2025 11:47:55 +0800 Subject: [PATCH 6/6] Update request-manager.js --- src/util/request-manager.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/request-manager.js b/src/util/request-manager.js index fd41bf2100..02ab9b1a82 100644 --- a/src/util/request-manager.js +++ b/src/util/request-manager.js @@ -184,7 +184,7 @@ export default class RequestManager { const bundle = fs.readFileSync(opts.cafile).toString(); const hasPemPrefix = block => block.startsWith('-----BEGIN '); // opts.cafile overrides opts.ca, this matches with npm behavior - this.ca = bundle.split(/(-----BEGIN .*\r?\n[^-]+\r?\n--.*)/).filter(hasPemPrefix); + this.ca = bundle.split(/(-----BEGIN (?:(?!-).)*\r?\n[^-]+\r?\n--.*)/).filter(hasPemPrefix); } catch (err) { this.reporter.error(`Could not open cafile: ${err.message}`); }