diff --git a/History.md b/History.md index 7a5cf3355..8bca01100 100644 --- a/History.md +++ b/History.md @@ -1,4 +1,9 @@ +2.15.4 / 2025-02-11 +================== + +fix: avoid redos on host and protocol getter + 2.15.3 / 2024-04-11 ================== diff --git a/lib/request.js b/lib/request.js index e62afd606..c2b0db600 100644 --- a/lib/request.js +++ b/lib/request.js @@ -257,7 +257,7 @@ module.exports = { if (!host) host = this.get('Host'); } if (!host) return ''; - return host.split(/\s*,\s*/, 1)[0]; + return splitCommaSeparatedValues(host, 1)[0]; }, /** @@ -402,7 +402,7 @@ module.exports = { if (this.socket.encrypted) return 'https'; if (!this.app.proxy) return 'http'; const proto = this.get('X-Forwarded-Proto'); - return proto ? proto.split(/\s*,\s*/, 1)[0] : 'http'; + return proto ? splitCommaSeparatedValues(proto, 1)[0] : 'http'; }, /** @@ -434,7 +434,7 @@ module.exports = { const proxy = this.app.proxy; const val = this.get(this.app.proxyIpHeader); let ips = proxy && val - ? val.split(/\s*,\s*/) + ? splitCommaSeparatedValues(val) : []; if (this.app.maxIpsCount > 0) { ips = ips.slice(-this.app.maxIpsCount); @@ -724,3 +724,15 @@ module.exports = { if (util.inspect.custom) { module.exports[util.inspect.custom] = module.exports.inspect; } + +/** + * Split a comma-separated value string into an array of values, with an optional limit. + * All the values are trimmed of whitespace. + * + * @param {string} value - The comma-separated value string to split. + * @param {number} [limit] - The maximum number of values to return. + * @returns {string[]} An array of values from the comma-separated string. + */ +function splitCommaSeparatedValues(value, limit) { + return value.split(',', limit).map(v => v.trim()); +} diff --git a/package.json b/package.json index 5cde7d256..b8f4ae23b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "koa", - "version": "2.15.3", + "version": "2.15.4", "description": "Koa web app framework", "main": "lib/application.js", "exports": {