undici 7.17.0 → 7.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +6 -0
  2. package/lib/web/fetch/index.js +9 -0
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -533,6 +533,12 @@ const { headers } = await request(url);
533
533
 
534
534
  The [Fetch Standard](https://fetch.spec.whatwg.org) requires implementations to exclude certain headers from requests and responses. In browser environments, some headers are forbidden so the user agent remains in full control over them. In Undici, these constraints are removed to give more control to the user.
535
535
 
536
+ #### Content-Encoding
537
+
538
+ * https://www.rfc-editor.org/rfc/rfc9110#field.content-encoding
539
+
540
+ Undici limits the number of `Content-Encoding` layers in a response to **5** to prevent resource exhaustion attacks. If a server responds with more than 5 content-encodings (e.g., `Content-Encoding: gzip, gzip, gzip, gzip, gzip, gzip`), the fetch will be rejected with an error. This limit matches the approach taken by [curl](https://curl.se/docs/CVE-2022-32206.html) and [urllib3](https://github.com/advisories/GHSA-gm62-xv2j-4rw9).
541
+
536
542
  #### `undici.upgrade([url, options]): Promise`
537
543
 
538
544
  Upgrade to a different protocol. See [MDN - HTTP - Protocol upgrade mechanism](https://developer.mozilla.org/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism) for more details.
package/lib/web/fetch/index.js CHANGED
@@ -2130,6 +2130,15 @@ async function httpNetworkFetch (
2130
2130
  // "All content-coding values are case-insensitive..."
2131
2131
  /** @type {string[]} */
2132
2132
  const codings = contentEncoding ? contentEncoding.toLowerCase().split(',') : []
2133
+
2134
+ // Limit the number of content-encodings to prevent resource exhaustion.
2135
+ // CVE fix similar to urllib3 (GHSA-gm62-xv2j-4w53) and curl (CVE-2022-32206).
2136
+ const maxContentEncodings = 5
2137
+ if (codings.length > maxContentEncodings) {
2138
+ reject(new Error(`too many content-encodings in response: ${codings.length}, maximum allowed is ${maxContentEncodings}`))
2139
+ return true
2140
+ }
2141
+
2133
2142
  for (let i = codings.length - 1; i >= 0; --i) {
2134
2143
  const coding = codings[i].trim()
2135
2144
  // https://www.rfc-editor.org/rfc/rfc9112.html#section-7.2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "undici",
3
- "version": "7.17.0",
3
+ "version": "7.18.0",
4
4
  "description": "An HTTP/1.1 client, written from scratch for Node.js",
5
5
  "homepage": "https://undici.nodejs.org",
6
6
  "bugs": {