From f5988751114e7909b311a5e47e9522254efab5d8 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 8 Jan 2026 20:23:28 +0000 Subject: [PATCH] feat(security): enforce maximum version string length Add `MAX_VERSION_LENGTH` constant (256) to prevent processing of excessively long strings in `compareTo`, mitigating potential DoS/CPU exhaustion risks. Input strings exceeding this limit now return NaN (fail-closed). --- src/index.ts | 10 ++++++++++ src/security.test.ts | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/src/index.ts b/src/index.ts index 625ca80..4985035 100644 --- a/src/index.ts +++ b/src/index.ts @@ -19,6 +19,12 @@ export const EOL_DATES: Record = { "24": "2028-04-30", }; +/** + * Maximum allowed length for version strings. + * Used to prevent potential DoS attacks via extremely long input strings. + */ +const MAX_VERSION_LENGTH = 256; + /** * Check if a major version is EOL. */ @@ -52,6 +58,10 @@ export const getVersion = (): NodeVersion => { * Compare the current node version with a target version string. */ const compareTo = (target: string): number => { + if (target.length > MAX_VERSION_LENGTH) { + return NaN; + } + if (target !== target.trim() || target.length === 0) { return NaN; } diff --git a/src/security.test.ts b/src/security.test.ts index b5942fd..2badf94 100644 --- a/src/security.test.ts +++ b/src/security.test.ts @@ -63,4 +63,12 @@ describe("security fixes", () => { const v = getVersion(); expect(v.isAtLeast("10.0.0")).toBe(true); }); + + test("should reject extremely long version strings (DoS prevention)", () => { + const v = getVersion(); + // 300 chars > MAX_VERSION_LENGTH (256) + const longString = "1".repeat(300); + expect(v.isAtLeast(longString)).toBe(false); + expect(v.isAtMost(longString)).toBe(false); + }); });