Infra-Mirrors/uptime-kuma
1
0
Fork 0
mirror of https://github.com/louislam/uptime-kuma.git synced 2025-01-26 22:37:09 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: make sure that stripping backslashes for notification urls cannot cause catastophic backtracking (ReDOS) (#5573)

Browse Source 
Co-authored-by: Frank Elsinga <frank@elsinga.de>
This commit is contained in:
DayShift 2025-01-26 18:52:12 +08:00 committed by GitHub
parent 7dc6191b0a
commit 7a9191761d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
server/notification-providers/pushdeer.js
View File

@ -11,7 +11,8 @@ class PushDeer extends NotificationProvider {
async send(notification, msg, monitorJSON = null, heartbeatJSON = null) {
const okMsg = "Sent Successfully.";
const serverUrl = notification.pushdeerServer || "https://api2.pushdeer.com";
const url = `${serverUrl.trim().replace(/\/*$/, "")}/message/push`;
// capture group below is nessesary to prevent an ReDOS-attack
const url = `${serverUrl.trim().replace(/([^/])\/+$/, "$1")}/message/push`;
let valid = msg != null && monitorJSON != null && heartbeatJSON != null;

2
server/notification-providers/whapi.js
View File

@ -24,7 +24,7 @@ class Whapi extends NotificationProvider {
"body": msg,
};
let url = (notification.whapiApiUrl || "https://gate.whapi.cloud/").replace(/\/+$/, "") + "/messages/text";
let url = (notification.whapiApiUrl || "https://gate.whapi.cloud/").replace(/([^/])\/+$/, "$1") + "/messages/text";
await axios.post(url, data, config);