You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
it looks like the regex at https://github.com/nodejs/undici/blob/main/lib/fetch/util.js#L604 (/((?<algo>sha256|sha384|sha512)-(?<hash>[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i) is incorrect in a few different ways. A-z will also match [\]^_ which are invalid base64 characters, and the range [A-z0-9+/] is only matched once anyways - the second character and all others until any padding are matched via .*. i didn't fully read the spec but i believe the latter half, ( +[\x21-\x7e]?)?, is also incorrect and won't accurately match the option-expression
Reproducible By
N/A
Expected Behavior
The regex should only match valid integrity attributes and no other values.
Bug Description
it looks like the regex at https://github.com/nodejs/undici/blob/main/lib/fetch/util.js#L604 (
/((?<algo>sha256|sha384|sha512)-(?<hash>[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i
) is incorrect in a few different ways.A-z
will also match[\]^_
which are invalidbase64
characters, and the range[A-z0-9+/]
is only matched once anyways - the second character and all others until any padding are matched via.*
. i didn't fully read the spec but i believe the latter half,( +[\x21-\x7e]?)?
, is also incorrect and won't accurately match theoption-expression
Reproducible By
N/A
Expected Behavior
The regex should only match valid integrity attributes and no other values.
Logs & Screenshots
N/A
Environment
N/A
Additional context
The text was updated successfully, but these errors were encountered: