fix: make sure that stripping backslashes for notification urls canno…

…t cause catastophic backtracking (ReDOS) (louislam#5573) Co-authored-by: Frank Elsinga <frank@elsinga.de>
HinchK · Jan 26, 2025 · 7a91917 · 7a91917
1 parent 7dc6191
commit 7a91917
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/server/notification-providers/pushdeer.js b/server/notification-providers/pushdeer.js
@@ -11,7 +11,8 @@ class PushDeer extends NotificationProvider {
     async send(notification, msg, monitorJSON = null, heartbeatJSON = null) {
         const okMsg = "Sent Successfully.";
         const serverUrl = notification.pushdeerServer || "https://api2.pushdeer.com";
-        const url = `${serverUrl.trim().replace(/\/*$/, "")}/message/push`;
+        // capture group below is nessesary to prevent an ReDOS-attack
+        const url = `${serverUrl.trim().replace(/([^/])\/+$/, "$1")}/message/push`;
 
         let valid = msg != null && monitorJSON != null && heartbeatJSON != null;
 

diff --git a/server/notification-providers/whapi.js b/server/notification-providers/whapi.js
@@ -24,7 +24,7 @@ class Whapi extends NotificationProvider {
                 "body": msg,
             };
 
-            let url = (notification.whapiApiUrl || "https://gate.whapi.cloud/").replace(/\/+$/, "") + "/messages/text";
+            let url = (notification.whapiApiUrl || "https://gate.whapi.cloud/").replace(/([^/])\/+$/, "$1") + "/messages/text";
 
             await axios.post(url, data, config);