git-watchtower 1.10.17 → 1.10.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/server/coordinator.js +15 -0
package/package.json
CHANGED
|
@@ -26,6 +26,13 @@ const crypto = require('crypto');
|
|
|
26
26
|
*/
|
|
27
27
|
const WATCHTOWER_DIR = path.join(os.homedir(), '.watchtower');
|
|
28
28
|
|
|
29
|
+
/**
|
|
30
|
+
* Maximum IPC receive buffer size (1 MiB). Connections that exceed
|
|
31
|
+
* this without a complete newline-delimited message are dropped to
|
|
32
|
+
* prevent unbounded memory growth from malformed or malicious peers.
|
|
33
|
+
*/
|
|
34
|
+
const MAX_IPC_BUFFER = 1024 * 1024;
|
|
35
|
+
|
|
29
36
|
/**
|
|
30
37
|
* Lock file path
|
|
31
38
|
*/
|
|
@@ -268,6 +275,10 @@ class Coordinator {
|
|
|
268
275
|
|
|
269
276
|
socket.on('data', (data) => {
|
|
270
277
|
buffer += data.toString();
|
|
278
|
+
if (buffer.length > MAX_IPC_BUFFER) {
|
|
279
|
+
socket.destroy();
|
|
280
|
+
return;
|
|
281
|
+
}
|
|
271
282
|
let newlineIdx;
|
|
272
283
|
while ((newlineIdx = buffer.indexOf('\n')) !== -1) {
|
|
273
284
|
const line = buffer.slice(0, newlineIdx);
|
|
@@ -413,6 +424,10 @@ class Worker {
|
|
|
413
424
|
|
|
414
425
|
this.socket.on('data', (data) => {
|
|
415
426
|
this._buffer += data.toString();
|
|
427
|
+
if (this._buffer.length > MAX_IPC_BUFFER) {
|
|
428
|
+
this.socket.destroy();
|
|
429
|
+
return;
|
|
430
|
+
}
|
|
416
431
|
let idx;
|
|
417
432
|
while ((idx = this._buffer.indexOf('\n')) !== -1) {
|
|
418
433
|
const line = this._buffer.slice(0, idx);
|