feat(brotli): use xregexp to protect against attack vectors

ladjs · Jul 23, 2024 · a6f5bbb · a6f5bbb
1 parent dcd8cce
commit a6f5bbb
Show file tree

Hide file tree

Showing 4 changed files with 118 additions and 4 deletions.
diff --git a/.dist.eslintrc b/.dist.eslintrc
@@ -27,7 +27,10 @@
     "no-control-regex": "off",
     "no-fallthrough": "off",
     "operator-linebreak": "off",
-    "node/no-missing-require": "warn"
+    "node/no-missing-require": "warn",
+    "no-prototype-builtins": "off",
+    "no-self-assign": "off",
+    "no-misleading-character-class": "off"
   },
   "globals": {
     "regeneratorRuntime": "writable"

diff --git a/package.json b/package.json
@@ -26,7 +26,8 @@
     "formidable": "^3.5.1",
     "methods": "^1.1.2",
     "mime": "2.6.0",
-    "qs": "^6.11.0"
+    "qs": "^6.11.0",
+    "xregexp": "^5.1.1"
   },
   "devDependencies": {
     "@babel/cli": "^7.20.7",

diff --git a/src/utils.js b/src/utils.js
@@ -1,3 +1,5 @@
+const XRegExp = require('xregexp');
+
 /**
  * Return the mime type for the given `str`.
  *
@@ -113,7 +115,7 @@ exports.mixin = (target, source) => {
  */
 
 exports.isGzipOrDeflateEncoding = (res) => {
-  return /^\s*(?:deflate|gzip)\s*$/.test(res.headers['content-encoding']);
+  return XRegExp(/^\s*(?:deflate|gzip)\s*$/).test(res.headers['content-encoding']);
 };
 
 /**
@@ -123,5 +125,5 @@ exports.isGzipOrDeflateEncoding = (res) => {
  */
 
 exports.isBrotliEncoding = (res) => {
-  return /^\s*(?:br)\s*$/.test(res.headers['content-encoding']);
+  return XRegExp(/^\s*(?:br)\s*$/).test(res.headers['content-encoding']);
 };
diff --git a/test/node/utils.js b/test/node/utils.js
@@ -39,3 +39,111 @@ describe('utils.parseLinks(str)', () => {
     );
   });
 });
+
+describe('utils.isGzipOrDeflateEncoding(res)', () => {
+  it('should return true when content encoding is gzip', () => {
+    utils.isGzipOrDeflateEncoding({
+      headers: {
+        'content-encoding': 'gzip',
+      },
+    }).should.equal(true);
+  });
+  it('should return true when content encoding is deflate', () => {
+    utils.isGzipOrDeflateEncoding({
+      headers: {
+        'content-encoding': 'deflate',
+      },
+    }).should.equal(true);
+  });
+  it('should return false when content encoding is bla', () => {
+    utils.isGzipOrDeflateEncoding({
+      headers: {
+        'content-encoding': 'bla',
+      },
+    }).should.equal(false);
+  });
+
+  it('should return true when content encoding has a lot of spaces followed with gzip', () => {
+    utils.isGzipOrDeflateEncoding({
+      headers: {
+        'content-encoding': " " * 10**6 + " gzip",
+      },
+    }).should.equal(false);
+  });
+
+  it('should return true when content encoding repeates it self', () => {
+    utils.isGzipOrDeflateEncoding({
+      headers: {
+        'content-encoding': "gzip deflate gzip deflate gzip deflate gzip deflate gzip deflate gzip deflate gzip deflate gzip deflate",
+      },
+    }).should.equal(false);
+  });
+
+  it('should return true when content encoding repeates it self wuth a lot of spaces', () => {
+    utils.isGzipOrDeflateEncoding({
+      headers: {
+        'content-encoding': " gzip   deflate   gzip   deflate   gzip   deflate   gzip   deflate   gzip   deflate   gzip   deflate",
+      },
+    }).should.equal(false);
+  });
+
+  it('should return true when content encoding - nested patterns', () => {
+    utils.isGzipOrDeflateEncoding({
+      headers: {
+        'content-encoding': " " * 10**5 + ("gzip deflate " * 1000)
+      },
+    }).should.equal(false);
+  });
+
+
+});
+
+describe('utils.isBrotliEncoding(res)', () => {
+  it('should return true when content encoding is br', () => {
+    utils.isBrotliEncoding({
+      headers: {
+        'content-encoding': 'br',
+      },
+    }).should.equal(true);
+  });
+  it('should return false when content encoding is bla', () => {
+    utils.isBrotliEncoding({
+      headers: {
+        'content-encoding': 'bla',
+      },
+    }).should.equal(false);
+  });
+
+  it('should return true when content encoding has a lot of spaces followed with br', () => {
+    utils.isBrotliEncoding({
+      headers: {
+        'content-encoding': " " * 10**6 + " br",
+      },
+    }).should.equal(false);
+  });
+
+  it('should return true when content encoding repeates it self', () => {
+    utils.isBrotliEncoding({
+      headers: {
+        'content-encoding': " br br br br br  br br br br br  br br br br br br br br br br  br br br br br  br br br br br",
+      },
+    }).should.equal(false);
+  });
+
+  it('should return true when content encoding repeates it self wuth a lot of spaces', () => {
+    utils.isBrotliEncoding({
+      headers: {
+        'content-encoding': "br     br     br     br     br     br     br     br     br     br     br     br     br     br",
+      },
+    }).should.equal(false);
+  });
+
+  it('should return true when content encoding - nested patterns', () => {
+    utils.isBrotliEncoding({
+      headers: {
+        'content-encoding': " " * 10**5 + ("br " * 1000)
+      },
+    }).should.equal(false);
+  });
+
+});