fix: add a maximum length for the URL

The regular expression used to parse the URL provided by the user has a
time complexity of O(n^2), hence the length limitation.

Please note that this does not seem realistically exploitable, as an
attacker would have to be able to provide a malicious URL to the user
and inject it in the Engine.IO client.

We could also have:

- modified the regex, but there are a lot of edge cases and the current test coverage is probably not sufficient
- use the built-in URL object, but we would have to add a polyfill for old platforms like IE

Thanks to Young-jin Hwang from the Soonchunhyang University for the
responsible disclosure.

Author: darrachequesne

lib/contrib/parseuri.ts

@@ -23,7 +23,11 @@ const parts = [
     'source', 'protocol', 'authority', 'userInfo', 'user', 'password', 'host', 'port', 'relative', 'path', 'directory', 'file', 'query', 'anchor'
 ];
 
-export function parse(str) {
+export function parse(str: string) {
+    if (str.length > 2000) {
+        throw "URI too long";
+    }
+
     const src = str,
         b = str.indexOf('['),
         e = str.indexOf(']');

test/parseuri.js

@@ -1,6 +1,7 @@
 // imported from https://github.com/galkn/parseuri
 const expect = require("expect.js");
 const parseuri = require("..").parse;
+const { repeat } = require("./util");
 
 describe("parseuri", function () {
   it("should parse an uri", function () {
@@ -64,5 +65,7 @@ describe("parseuri", function () {
     expect(relativeWithQuery.host).to.be("");
     expect(relativeWithQuery.path).to.be("/foo");
     expect(relativeWithQuery.query).to.be("bar=@example.com");
+
+    expect(() => parseuri(repeat("a", 2001))).to.throwError("URI too long");
   });
 });