Merge commit from fork

ShiyuBanzhou · web-flow · commit 34ff07ee86fc · 2025-02-13T09:13:07.000-06:00
diff --git a/src/fetch-wrapper.ts b/src/fetch-wrapper.ts
@@ -96,7 +96,7 @@ export default async function fetchWrapper(
   if ("deprecation" in responseHeaders) {
     const matches =
       responseHeaders.link &&
-      responseHeaders.link.match(/<([^>]+)>; rel="deprecation"/);
+      responseHeaders.link.match(/<([^<>]+)>; rel="deprecation"/);
     const deprecationLink = matches && matches.pop();
     log.warn(
       `[@octokit/request] "${requestOptions.method} ${
diff --git a/test/request.test.ts b/test/request.test.ts
@@ -22,6 +22,30 @@ function stringToArrayBuffer(str: string) {
 }
 
 describe("request()", () => {
+  it("Test ReDoS - attack string", () => {
+    const originalFetch = globalThis.fetch;
+    globalThis.fetch = async (url, options) => {
+      const response = await originalFetch(url, options);
+      const fakeHeaders = new Headers(response.headers);
+      fakeHeaders.set("link", "<".repeat(100000) + ">");
+      fakeHeaders.set("deprecation", "true");
+      return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers: fakeHeaders
+      });
+    };
+    const startTime = performance.now();
+    request("GET /repos/octocat/hello-world");
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000; 
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
+    }
+  });
+
   it("is a function", () => {
     expect(request).toBeInstanceOf(Function);
   });
