fix: add a maximum length for the URL

The regular expression used to parse the URL provided by the user has a time complexity of O(n^2), hence the length limitation. Please note that this does not seem realistically exploitable, as an attacker would have to be able to provide a malicious URL to the user and inject it in the Engine.IO client. We could also have: - modified the regex, but there are a lot of edge cases and the current test coverage is probably not sufficient - use the built-in URL object, but we would have to add a polyfill for old platforms like IE Thanks to Young-jin Hwang from the Soonchunhyang University for the responsible disclosure.
socketio · Nov 9, 2023 · 707597d · 707597d
1 parent 8d86e0d
commit 707597d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/lib/contrib/parseuri.ts b/lib/contrib/parseuri.ts
@@ -23,7 +23,11 @@ const parts = [
     'source', 'protocol', 'authority', 'userInfo', 'user', 'password', 'host', 'port', 'relative', 'path', 'directory', 'file', 'query', 'anchor'
 ];
 
-export function parse(str) {
+export function parse(str: string) {
+    if (str.length > 2000) {
+        throw "URI too long";
+    }
+
     const src = str,
         b = str.indexOf('['),
         e = str.indexOf(']');

diff --git a/test/parseuri.js b/test/parseuri.js
@@ -1,6 +1,7 @@
 // imported from https://github.com/galkn/parseuri
 const expect = require("expect.js");
 const parseuri = require("..").parse;
+const { repeat } = require("./util");
 
 describe("parseuri", function () {
   it("should parse an uri", function () {
@@ -64,5 +65,7 @@ describe("parseuri", function () {
     expect(relativeWithQuery.host).to.be("");
     expect(relativeWithQuery.path).to.be("/foo");
     expect(relativeWithQuery.query).to.be("bar=@example.com");
+
+    expect(() => parseuri(repeat("a", 2001))).to.throwError("URI too long");
   });
 });