Merge commit from fork

* fix: avoid redos on host and protocol getter

Only effect on app.proxy enable

closes GHSA-593f-38f6-jp5m

* Release 2.15.4

History.md

@@ -1,4 +1,9 @@
 
+2.15.4 / 2025-02-11
+==================
+
+fix: avoid redos on host and protocol getter
+
 2.15.3 / 2024-04-11
 ==================
 

lib/request.js

@@ -257,7 +257,7 @@ module.exports = {
       if (!host) host = this.get('Host');
     }
     if (!host) return '';
-    return host.split(/\s*,\s*/, 1)[0];
+    return splitCommaSeparatedValues(host, 1)[0];
   },
 
   /**
@@ -402,7 +402,7 @@ module.exports = {
     if (this.socket.encrypted) return 'https';
     if (!this.app.proxy) return 'http';
     const proto = this.get('X-Forwarded-Proto');
-    return proto ? proto.split(/\s*,\s*/, 1)[0] : 'http';
+    return proto ? splitCommaSeparatedValues(proto, 1)[0] : 'http';
   },
 
   /**
@@ -434,7 +434,7 @@ module.exports = {
     const proxy = this.app.proxy;
     const val = this.get(this.app.proxyIpHeader);
     let ips = proxy && val
-      ? val.split(/\s*,\s*/)
+      ? splitCommaSeparatedValues(val)
       : [];
     if (this.app.maxIpsCount > 0) {
       ips = ips.slice(-this.app.maxIpsCount);
@@ -724,3 +724,15 @@ module.exports = {
 if (util.inspect.custom) {
   module.exports[util.inspect.custom] = module.exports.inspect;
 }
+
+/**
+ * Split a comma-separated value string into an array of values, with an optional limit.
+ * All the values are trimmed of whitespace.
+ *
+ * @param {string} value - The comma-separated value string to split.
+ * @param {number} [limit] - The maximum number of values to return.
+ * @returns {string[]} An array of values from the comma-separated string.
+ */
+function splitCommaSeparatedValues(value, limit) {
+  return value.split(',', limit).map(v => v.trim());
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "koa",
-  "version": "2.15.3",
+  "version": "2.15.4",
   "description": "Koa web app framework",
   "main": "lib/application.js",
   "exports": {