Skip to content

Commit

Permalink
fix: Regular Expression Denial of Service (ReDoS) (#6132)
Browse files Browse the repository at this point in the history
  • Loading branch information
@WillianAgostini
WillianAgostini authored Dec 26, 2023
1 parent 8befb86 commit 5e7ad38
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
2 changes: 1 addition & 1 deletion lib/helpers/combineURLs.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@
*/
export default function combineURLs(baseURL, relativeURL) {
return relativeURL
? baseURL.replace(/\/+$/, '') + '/' + relativeURL.replace(/^\/+/, '')
? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '')
: baseURL;
}
17 changes: 16 additions & 1 deletion test/specs/defaults.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,10 +178,25 @@ describe('defaults', function () {
const instance = axios.create();
axios.defaults.baseURL = 'http://example.org/';

instance.get('/foo/users');

getAjaxRequest().then(function (request) {
expect(request.url).toBe('/foo/users');
done();
});
});

it('should resistent to ReDoS attack', function (done) {
const instance = axios.create();
const start = performance.now();
const slashes = '/'.repeat(100000);
instance.defaults.baseURL = '/' + slashes + 'bar/';
instance.get('/foo');

getAjaxRequest().then(function (request) {
expect(request.url).toBe('/foo');
const elapsedTimeMs = performance.now() - start;
expect(elapsedTimeMs).toBeLessThan(20);
expect(request.url).toBe('/' + slashes + 'bar/foo');
done();
});
});
Expand Down

0 comments on commit 5e7ad38

Please sign in to comment.