mirrors/axios
2
0
Fork 0
mirror of https://github.com/tenrok/axios.git synced 2026-06-20 20:00:40 +03:00
Code Activity

fix: Regular Expression Denial of Service (ReDoS) (#6132)

Browse Source
This commit is contained in:
Willian Agostini
2023-12-26 17:29:26 -03:00
committed by GitHub
parent 8befb86efb
commit 5e7ad38fb0
2 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/helpers/combineURLs.js
+1 -1
View File
@@ -10,6 +10,6 @@
*/ */
export default function combineURLs(baseURL, relativeURL) { export default function combineURLs(baseURL, relativeURL) {
return relativeURL return relativeURL
? baseURL.replace(/\/+$/, '') + '/' + relativeURL.replace(/^\/+/, '') ? baseURL.replace(/\/?\/$/, '') + '/' + relativeURL.replace(/^\/+/, '')
: baseURL; : baseURL;
} }
test/specs/defaults.spec.js
+16 -1
View File
@@ -178,10 +178,25 @@ describe('defaults', function () {
const instance = axios.create(); const instance = axios.create();
axios.defaults.baseURL = 'http://example.org/'; axios.defaults.baseURL = 'http://example.org/';
instance.get('/foo/users');
getAjaxRequest().then(function (request) {
expect(request.url).toBe('/foo/users');
done();
});
});
it('should resistent to ReDoS attack', function (done) {
const instance = axios.create();
const start = performance.now();
const slashes = '/'.repeat(100000);
instance.defaults.baseURL = '/' + slashes + 'bar/';
instance.get('/foo'); instance.get('/foo');
getAjaxRequest().then(function (request) { getAjaxRequest().then(function (request) {
expect(request.url).toBe('/foo'); const elapsedTimeMs = performance.now() - start;
expect(elapsedTimeMs).toBeLessThan(20);
expect(request.url).toBe('/' + slashes + 'bar/foo');
done(); done();
}); });
}); });