diff --git a/History.md b/History.md index 90aad7528..eab6836da 100644 --- a/History.md +++ b/History.md @@ -1,4 +1,10 @@ +3.0.0-alpha.3 / 2025-02-11 +================== + +**fixes** +- Avoid redos on host and protocol getter + 3.0.0-alpha.2 / 2024-11-04 ================== diff --git a/lib/request.js b/lib/request.js index 7136c0d0b..073ff20d6 100644 --- a/lib/request.js +++ b/lib/request.js @@ -256,7 +256,7 @@ module.exports = { if (!host) host = this.get('Host') } if (!host) return '' - return host.split(/\s*,\s*/, 1)[0] + return splitCommaSeparatedValues(host, 1)[0] }, /** @@ -401,7 +401,7 @@ module.exports = { if (this.socket.encrypted) return 'https' if (!this.app.proxy) return 'http' const proto = this.get('X-Forwarded-Proto') - return proto ? proto.split(/\s*,\s*/, 1)[0] : 'http' + return proto ? splitCommaSeparatedValues(proto, 1)[0] : 'http' }, /** @@ -433,7 +433,7 @@ module.exports = { const proxy = this.app.proxy const val = this.get(this.app.proxyIpHeader) let ips = proxy && val - ? val.split(/\s*,\s*/) + ? splitCommaSeparatedValues(val) : [] if (this.app.maxIpsCount > 0) { ips = ips.slice(-this.app.maxIpsCount) @@ -723,3 +723,15 @@ module.exports = { if (util.inspect.custom) { module.exports[util.inspect.custom] = module.exports.inspect } + +/** + * Split a comma-separated value string into an array of values, with an optional limit. + * All the values are trimmed of whitespace. + * + * @param {string} value - The comma-separated value string to split. + * @param {number} [limit] - The maximum number of values to return. + * @returns {string[]} An array of values from the comma-separated string. + */ +function splitCommaSeparatedValues(value, limit) { + return value.split(',', limit).map(v => v.trim()); +} diff --git a/package.json b/package.json index 062a6b7dd..597becd75 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "koa", - "version": "3.0.0-alpha.2", + "version": "3.0.0-alpha.3", "publishConfig": { "tag": "experimental" },