From 97731871e674bf93bcbf29e9d3258da8685f3076 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Thu, 17 Jul 2025 02:18:36 +0800 Subject: [PATCH 1/4] Update hosted-git-resolver.js --- src/resolvers/exotics/hosted-git-resolver.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/resolvers/exotics/hosted-git-resolver.js b/src/resolvers/exotics/hosted-git-resolver.js index 83d4ab20b0..aa6ab043da 100644 --- a/src/resolvers/exotics/hosted-git-resolver.js +++ b/src/resolvers/exotics/hosted-git-resolver.js @@ -30,8 +30,9 @@ export function explodeHostedGitFragment(fragment: string, reporter: Reporter): } const parts = fragment - .replace(/(.*?)#.*/, '$1') // Strip hash - .replace(/.*:(.*)/, '$1') // Strip prefixed protocols + .split('#', 1)[0] + .split(':') + .pop() .replace(/.git$/, '') // Strip the .git suffix .split('/'); From af396d504054051b5ccf529369746f600e8ca4fa Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Thu, 17 Jul 2025 02:19:28 +0800 Subject: [PATCH 2/4] Update hosted-git-resolver.js --- __tests__/resolvers/exotics/hosted-git-resolver.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/__tests__/resolvers/exotics/hosted-git-resolver.js b/__tests__/resolvers/exotics/hosted-git-resolver.js index 403e14374a..260b26ebf2 100644 --- a/__tests__/resolvers/exotics/hosted-git-resolver.js +++ b/__tests__/resolvers/exotics/hosted-git-resolver.js @@ -28,3 +28,13 @@ const reporter = new reporters.NoopReporter({}); expect(explodeHostedGitFragment(fragment, reporter).hash).toEqual(hash); }); }); +describe('explodeHostedGitFragment DOS vulnerability test', () => { + const MAX_MS = 200; + test('long fragment without # should finish quickly and throw', () => { + const longFragment = '' + '\u0000'.repeat(100000) + '\u0000'; + const start = Date.now(); + expect(() => explodeHostedGitFragment(longFragment, reporter)).toThrow(); + const duration = Date.now() - start; + expect(duration).toBeLessThan(MAX_MS); + }); +}); From df94c3020eef46e6a0d6785d5a4e515f1b1869d7 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 13 Aug 2025 10:00:09 +0800 Subject: [PATCH 3/4] Update hosted-git-resolver.js --- __tests__/resolvers/exotics/hosted-git-resolver.js | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/__tests__/resolvers/exotics/hosted-git-resolver.js b/__tests__/resolvers/exotics/hosted-git-resolver.js index 260b26ebf2..403e14374a 100644 --- a/__tests__/resolvers/exotics/hosted-git-resolver.js +++ b/__tests__/resolvers/exotics/hosted-git-resolver.js @@ -28,13 +28,3 @@ const reporter = new reporters.NoopReporter({}); expect(explodeHostedGitFragment(fragment, reporter).hash).toEqual(hash); }); }); -describe('explodeHostedGitFragment DOS vulnerability test', () => { - const MAX_MS = 200; - test('long fragment without # should finish quickly and throw', () => { - const longFragment = '' + '\u0000'.repeat(100000) + '\u0000'; - const start = Date.now(); - expect(() => explodeHostedGitFragment(longFragment, reporter)).toThrow(); - const duration = Date.now() - start; - expect(duration).toBeLessThan(MAX_MS); - }); -}); From bfec178f9c5fbc383f165bd48a9fe712d273dbb2 Mon Sep 17 00:00:00 2001 From: mmmsssttt404 <931121963@qq.com> Date: Wed, 13 Aug 2025 10:02:06 +0800 Subject: [PATCH 4/4] Update hosted-git-resolver.js --- src/resolvers/exotics/hosted-git-resolver.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/resolvers/exotics/hosted-git-resolver.js b/src/resolvers/exotics/hosted-git-resolver.js index aa6ab043da..83d4ab20b0 100644 --- a/src/resolvers/exotics/hosted-git-resolver.js +++ b/src/resolvers/exotics/hosted-git-resolver.js @@ -30,9 +30,8 @@ export function explodeHostedGitFragment(fragment: string, reporter: Reporter): } const parts = fragment - .split('#', 1)[0] - .split(':') - .pop() + .replace(/(.*?)#.*/, '$1') // Strip hash + .replace(/.*:(.*)/, '$1') // Strip prefixed protocols .replace(/.git$/, '') // Strip the .git suffix .split('/');