Closed dotchev closed 7 years ago
Try editing the uri-js/build/uri.js
file and changing the variable URI__VALIDATE_SUPPORT
to false
. This should give you better performance. In the next release, I'll make this an option you can pass in.
Yes, now with this change parse
completes immediately, also the used regex is much simpler
/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c
0%ae%c0%ae/%c0%ae%c0%ae/windows\win.ini
/^(?:([^:\/?#]+):)?(?:\/\/((?:([^\/?#@]*)@)?([^\/?#:]*)(?:\:(\d*))?))?([^?#]*)(?:\?([^#]*))?(?:#((?:.|\n)*))?/i
time: 0ms
{ scheme: undefined,
userinfo: undefined,
host: undefined,
port: undefined,
path: '/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE
%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/windows%5Cwin.ini',
query: undefined,
fragment: undefined,
reference: 'relative' }
You can close this issue when you provide it as an option.
I've removed validation in v3 of URI.js, so this is no longer an issue.
During penetration tests with Burp Suite we found that our app hangs on some requests. It turned out that uri-js
parse
hangs on some long urls. Here is a simple script to reproduce it:Here is the result on my machine
Notice how the time increases exponentially - about 5x for each new segment. So with long enough URL
parse
just hangs at 100% CPU.It seems uri-js uses a generated regex which in my case appears to be this: