Skip to content

Commit

Permalink
fix(combineURL): regex for ReDoS attack
Browse files Browse the repository at this point in the history 
#6132
  • Loading branch information
@WillianAgostini
WillianAgostini committed Dec 20, 2023
1 parent 3b1d773 commit 918286c
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 5 deletions.
6 changes: 3 additions & 3 deletions lib/helpers/combineURLs.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ export default function combineURLs(baseURL, relativeURL) {

const baseURLRegex = new RegExp(/\/+$/);
const relativeURLRegex = new RegExp(/^\/+/);
const multipleSlashes = new RegExp(/\/{3,}/);
return baseURL.replace(multipleSlashes, '').replace(baseURLRegex, '')
const multipleSlashes = new RegExp(/\/{3,}/g);
return baseURL.replace(multipleSlashes, '/').replace(baseURLRegex, '')
+ '/'
+ relativeURL.replace(multipleSlashes, '').replace(relativeURLRegex, '');
+ relativeURL.replace(multipleSlashes, '/').replace(relativeURLRegex, '');
}
4 changes: 2 additions & 2 deletions test/specs/defaults.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,13 +189,13 @@ describe('defaults', function () {
it('should resistent to ReDoS attack', function (done) {
const instance = axios.create();
const start = performance.now();
instance.defaults.baseURL = '/'.repeat(100000) + 'bar/';
instance.defaults.baseURL = '///foo' + '/'.repeat(100000) + 'bar////////';
instance.get('/foo');

getAjaxRequest().then(function (request) {
const elapsedTimeMs = performance.now() - start;
expect(elapsedTimeMs).toBeLessThan(20);
expect(request.url).toBe('bar/foo');
expect(request.url).toBe('/foo/bar/foo');
done();
});
});
Expand Down

0 comments on commit 918286c

Please sign in to comment.