JefferyHus / es6-crawler-detect

:spider: This is an ES6 adaptation of the original PHP library CrawlerDetect, this library will help you detect bots/crawlers/spiders vie the useragent.

MIT License

90 stars 30 forks source link

ReDoS prevention #26

Closed exx8 closed 3 years ago

exx8 commented 3 years ago

This PR limits the user agent size which can be delivered to the lib.

We need to think if this limitation is too relaxed or too conservative. This PR should not damage functionality.

25

TO DO

[ ] Consecutive characters prevention
[ ] Add a test for the safety of userAgent string
[ ] Separate the safety of userAgent string into a function isSafe

JefferyHus commented 3 years ago

Thanks for the PR. We need a test case to prove this working

exx8 commented 3 years ago

We need to think what is a reasonable limitation of consecutive characters. like 5 characters?

exx8 commented 3 years ago

Sorry my friend, I currently don't have anymore time to spend this PR in the following days. Regarding the repeats you asked, you might want to get inspiration from this: https://stackoverflow.com/a/15688386/14651383

JefferyHus commented 3 years ago

Sorry my friend, I currently don't have anymore time to spend this PR in the following days. Regarding the repeats you asked, you might want to get inspiration from this: https://stackoverflow.com/a/15688386/14651383

In that case I will merge what you did so far then work on the other features. Cheers