Skip to content

Commit

Permalink
- Defend against a "ReDoS"-attack form the "Content-Type" http-field.
Browse files Browse the repository at this point in the history 
- Call the "LoaderAndChecker.setCouldRetryRegex()" inside "UrlChecker.checkUrlConnectivity()".
  • Loading branch information
@LSmyrnaios
LSmyrnaios committed Dec 5, 2024
1 parent 37973a4 commit 7a2068e
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
3 changes: 3 additions & 0 deletions src/main/java/eu/openaire/publications_retriever/util/http/ConnSupportUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -358,6 +358,9 @@ public static String getPlainMimeType(String mimeType)
if ( mimeType == null ) { // Null-check to avoid NPE in "matcher()".
logger.warn("A null mimeType was given to \"getPlainMimeType()\".");
return null;
} else if ( mimeType.length() > 200 ) {
logger.warn("A suspiciously large mimeType was given to \"getPlainMimeType()\", having length: " + mimeType.length());
return null; // If it contains garbage, it may cause a "ReDoS"-attack, when being processed by "MIME_TYPE_FILTER"-regex.
}

String plainMimeType = null;
Expand Down
1 change: 1 addition & 0 deletions src/test/java/eu/openaire/publications_retriever/test/UrlChecker.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -792,6 +792,7 @@ public void checkUrlConnectivity()
// Set some needed data.
ConnSupportUtils.setKnownMimeTypes();
UrlTypeChecker.setRuntimeInitializedRegexes();
LoaderAndChecker.setCouldRetryRegex();

ArgsUtils.shouldDownloadDocFiles = true;
ArgsUtils.fileNameType = ArgsUtils.fileNameTypeEnum.idName;
Expand Down

0 comments on commit 7a2068e

Please sign in to comment.