undici 7.18.1 → 7.18.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/lib/interceptor/decompress.js +8 -0
  2. package/package.json +1 -1
package/lib/interceptor/decompress.js CHANGED
@@ -64,10 +64,18 @@ class DecompressHandler extends DecoratorHandler {
64
64
  *
65
65
  * @param {string} encodings - Comma-separated list of content encodings
66
66
  * @returns {Array<DecompressorStream>} - Array of decompressor streams
67
+ * @throws {Error} - If the number of content-encodings exceeds the maximum allowed
67
68
  */
68
69
  #createDecompressionChain (encodings) {
69
70
  const parts = encodings.split(',')
70
71
 
72
+ // Limit the number of content-encodings to prevent resource exhaustion.
73
+ // CVE fix similar to urllib3 (GHSA-gm62-xv2j-4w53) and curl (CVE-2022-32206).
74
+ const maxContentEncodings = 5
75
+ if (parts.length > maxContentEncodings) {
76
+ throw new Error(`too many content-encodings in response: ${parts.length}, maximum allowed is ${maxContentEncodings}`)
77
+ }
78
+
71
79
  /** @type {DecompressorStream[]} */
72
80
  const decompressors = []
73
81
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "undici",
3
- "version": "7.18.1",
3
+ "version": "7.18.2",
4
4
  "description": "An HTTP/1.1 client, written from scratch for Node.js",
5
5
  "homepage": "https://undici.nodejs.org",
6
6
  "bugs": {