From 97731871e674bf93bcbf29e9d3258da8685f3076 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Thu, 17 Jul 2025 02:18:36 +0800 Subject: [PATCH 1/2] Update hosted-git-resolver.js --- src/resolvers/exotics/hosted-git-resolver.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/resolvers/exotics/hosted-git-resolver.js b/src/resolvers/exotics/hosted-git-resolver.js index 83d4ab20b0..aa6ab043da 100644 --- a/src/resolvers/exotics/hosted-git-resolver.js +++ b/src/resolvers/exotics/hosted-git-resolver.js @@ -30,8 +30,9 @@ export function explodeHostedGitFragment(fragment: string, reporter: Reporter): } const parts = fragment - .replace(/(.*?)#.*/, '$1') // Strip hash - .replace(/.*:(.*)/, '$1') // Strip prefixed protocols + .split('#', 1)[0] + .split(':') + .pop() .replace(/.git$/, '') // Strip the .git suffix .split('/'); From af396d504054051b5ccf529369746f600e8ca4fa Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Thu, 17 Jul 2025 02:19:28 +0800 Subject: [PATCH 2/2] Update hosted-git-resolver.js --- __tests__/resolvers/exotics/hosted-git-resolver.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/__tests__/resolvers/exotics/hosted-git-resolver.js b/__tests__/resolvers/exotics/hosted-git-resolver.js index 403e14374a..260b26ebf2 100644 --- a/__tests__/resolvers/exotics/hosted-git-resolver.js +++ b/__tests__/resolvers/exotics/hosted-git-resolver.js @@ -28,3 +28,13 @@ const reporter = new reporters.NoopReporter({}); expect(explodeHostedGitFragment(fragment, reporter).hash).toEqual(hash); }); }); +describe('explodeHostedGitFragment DOS vulnerability test', () => { + const MAX_MS = 200; + test('long fragment without # should finish quickly and throw', () => { + const longFragment = '' + '\u0000'.repeat(100000) + '\u0000'; + const start = Date.now(); + expect(() => explodeHostedGitFragment(longFragment, reporter)).toThrow(); + const duration = Date.now() - start; + expect(duration).toBeLessThan(MAX_MS); + }); +});