Merge commit from fork

octokit · Feb 13, 2025 · d558320 · d558320
1 parent 5046116
commit d558320
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/src/index.ts b/src/index.ts
@@ -49,7 +49,7 @@ export class RequestError extends Error {
     if (options.request.headers.authorization) {
       requestCopy.headers = Object.assign({}, options.request.headers, {
         authorization: options.request.headers.authorization.replace(
-          / .*$/,
+          /(?<! ) .*$/,
           " [REDACTED]",
         ),
       });

diff --git a/test/request-error.test.ts b/test/request-error.test.ts
@@ -17,6 +17,40 @@ const mockOptions: RequestErrorOptions = {
 };
 
 describe("RequestError", () => {
+  test("Test ReDoS - attack string", () => {
+    const startTime = performance.now();
+    const error = new RequestError("Oops", 500, {
+      request: {
+        method: "POST",
+        url: "https://api.github.com/foo",
+        body: {
+          bar: "baz",
+        },
+        headers: {
+          authorization: ""+" ".repeat(100000)+"\n@",
+        },
+      },
+      response: {
+        status: 500,
+        url: "https://api.github.com/foo",
+        headers: {
+          "x-github-request-id": "1:2:3:4",
+        },
+        data: {
+          foo: "bar",
+        },
+      },
+    });
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000; 
+
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
+    }
+  });
+
   test("inherits from Error", () => {
     const error = new RequestError("test", 123, mockOptions);
     expect(error).toBeInstanceOf(Error);