groove/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-12-10 05:49:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

CodeQL fix: limit parameter sizes

Browse source
This commit is contained in:
mikiher 2025-10-15 18:54:29 +03:00
parent 888190a6be
commit 3f6162f53c
2 changed files with 19 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

9
server/finders/BookFinder.js
View file

@ -385,6 +385,11 @@ class BookFinder {
if (!title) return books
// Truncate excessively long inputs to prevent ReDoS attacks
const MAX_INPUT_LENGTH = 500
title = title.substring(0, MAX_INPUT_LENGTH)
author = author?.substring(0, MAX_INPUT_LENGTH) || author
const isTitleAsin = isValidASIN(title.toUpperCase())
let actualTitleQuery = title
@ -402,7 +407,7 @@ class BookFinder {
let authorCandidates = new BookFinder.AuthorCandidates(cleanAuthor, this.audnexus)
// Remove underscores and parentheses with their contents, and replace with a separator
// Use negated character classes to prevent ReDoS vulnerability
// Use negated character classes to prevent ReDoS vulnerability (input length validated at entry point)
const cleanTitle = title.replace(/\[[^\]]*\]|\([^)]*\)|{[^}]*}|_/g, ' - ')
// Split title into hypen-separated parts
const titleParts = cleanTitle.split(/ - | -|- /)
@ -669,7 +674,7 @@ function cleanTitleForCompares(title, keepSubtitle = false) {
let stripped = keepSubtitle ? title : stripSubtitle(title)
// Remove text in paranthesis (i.e. "Ender's Game (Ender's Saga)" becomes "Ender's Game")
// Use a safe two-pass approach to prevent ReDoS vulnerability
// Use negated character class to prevent ReDoS vulnerability (input length validated at entry point)
let cleaned = stripped.replace(/\([^)]*\)/g, '') // Remove parenthetical content
cleaned = cleaned.replace(/\s+/g, ' ').trim() // Clean up any resulting multiple spaces