fix: ReDoS referrer

[doublevkay]

Purpose

Fix Inefficient Regular Expression Complexity (ReDoS) in the referrer regex.

Inefficient regular expression complexity regex when trying to match Potentially Trustworthy could lead to a denial of service attack. With a formed payload 'http://' + 'a.a.'.repeat(i) + 'a', 76 characters payload could take 42642 ms time execution.

Changes

• Change Potentially Trustworthy regex matcher.

Additional information

• Report on Huntr

---

• I updated readme
• I added unit test(s)

---

• fix #1609

[jimmywarting]

LGTM

dose not match just localhost

[github-actions]

🎉 This PR is included in version 3.2.10 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[FlameFractal]

Can we add this to v2 (CommonJS) as well?

(ref)

[LinusU]

Can we add this to v2 (CommonJS) as well?

We would be happy to accept a PR for this

[FlameFractal]

I went through 2.x code and I could not find this issue there. 2.x doesn't even implement referrer, and there's no check for localhost anywhere else either. Moreover, there's only 10 regex tests and I think none contain this vulnerability (maybe @vovikhangcdv could verify this).

We got a Snyk-bot notification about this issue, but I think node-fetch:2.x is not affected by this CVE.

[doublevkay]

Hi there, I confirm that version 2.x is not affected by this vulnerability.

[doublevkay]

I suggest we could add a Security Advisory and specify the affected version for this issue.

[JamieSlome]

Just for clarity, we have updated the CVE here:

CVEProject/cvelist#6757