Fix potential ReDOS-Attack-Vector in Headerparser (#72)

* avoid potential catastrophic backtracking * add changelog
fastify · Dec 9, 2021 · 7c19c1d · 7c19c1d
1 parent 811ec0d
commit 7c19c1d
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 
-Major changes since the last busboy release (0.31):
+Major changes since the last busboy release (0.3.1):
+
+# 1.0.1 - TBD
+
+* Fix potential ReDOS-Attack-Vector in Headerparser (#72)
 
 # 1.0.0 - 04 December, 2021
 

diff --git a/deps/dicer/lib/HeaderParser.js b/deps/dicer/lib/HeaderParser.js
@@ -79,14 +79,19 @@ HeaderParser.prototype._parseHeader = function () {
         continue
       }
     }
+
+    const posColon = lines[i].indexOf(':')
+    if (
+      posColon === -1 ||
+      posColon === 0
+    ) {
+      return
+    }
     m = RE_HDR.exec(lines[i])
-    if (m) {
-      h = m[1].toLowerCase()
-      if (m[2]) {
-        if (this.header[h] === undefined) { this.header[h] = [m[2]] } else { this.header[h].push(m[2]) }
-      } else { this.header[h] = [''] }
-      if (++this.npairs === this.maxHeaderPairs) { break }
-    } else { return }
+    h = m[1].toLowerCase()
+    this.header[h] = this.header[h] || []
+    this.header[h].push((m[2] || ''))
+    if (++this.npairs === this.maxHeaderPairs) { break }
   }
 }
 

diff --git a/test/dicer-headerparser.spec.js b/test/dicer-headerparser.spec.js
@@ -89,6 +89,27 @@ describe('dicer-headerparser', () => {
       },
       what: 'should enforce maxHeaderSize of 32 and get only first character of second pair'
     },
+    {
+      source: ['Content-Type:\r\n text/plain',
+        ' : '
+      ].join('\r\n') + DCRLF,
+      expected: { 'content-type': [' text/plain : '] },
+      what: 'should not break if invalid header pair (colon exists but empty key and value) is provided'
+    },
+    {
+      source: ['Content-Type:\r\n text/plain',
+        'FoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobaz'
+      ].join('\r\n') + DCRLF,
+      expected: { 'content-type': [' text/plain'] },
+      what: 'should not break if invalid header pair (no distinctive colon) is provided'
+    },
+    {
+      source: ['Content-Type:\r\n text/plain',
+        ':FoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobazFoobaz'
+      ].join('\r\n') + DCRLF,
+      expected: { 'content-type': [' text/plain'] },
+      what: 'should not break if invalid header pair (no key) is provided'
+    },
     {
       source: ['Content-Type:\t  text/plain',
         'Content-Length:0'