Merge commit from fork

* fix: avoid redos on host and protocol getter

Only effect on app.proxy enable

closes GHSA-593f-38f6-jp5m

* 3.0.0-alpha.3

History.md

@@ -1,4 +1,10 @@
 
+3.0.0-alpha.3 / 2025-02-11
+==================
+
+**fixes**
+- Avoid redos on host and protocol getter
+
 3.0.0-alpha.2 / 2024-11-04
 ==================
 

lib/request.js

@@ -256,7 +256,7 @@ module.exports = {
       if (!host) host = this.get('Host')
     }
     if (!host) return ''
-    return host.split(/\s*,\s*/, 1)[0]
+    return splitCommaSeparatedValues(host, 1)[0]
   },
 
   /**
@@ -401,7 +401,7 @@ module.exports = {
     if (this.socket.encrypted) return 'https'
     if (!this.app.proxy) return 'http'
     const proto = this.get('X-Forwarded-Proto')
-    return proto ? proto.split(/\s*,\s*/, 1)[0] : 'http'
+    return proto ? splitCommaSeparatedValues(proto, 1)[0] : 'http'
   },
 
   /**
@@ -433,7 +433,7 @@ module.exports = {
     const proxy = this.app.proxy
     const val = this.get(this.app.proxyIpHeader)
     let ips = proxy && val
-      ? val.split(/\s*,\s*/)
+      ? splitCommaSeparatedValues(val)
       : []
     if (this.app.maxIpsCount > 0) {
       ips = ips.slice(-this.app.maxIpsCount)
@@ -723,3 +723,15 @@ module.exports = {
 if (util.inspect.custom) {
   module.exports[util.inspect.custom] = module.exports.inspect
 }
+
+/**
+ * Split a comma-separated value string into an array of values, with an optional limit.
+ * All the values are trimmed of whitespace.
+ *
+ * @param {string} value - The comma-separated value string to split.
+ * @param {number} [limit] - The maximum number of values to return.
+ * @returns {string[]} An array of values from the comma-separated string.
+ */
+function splitCommaSeparatedValues(value, limit) {
+  return value.split(',', limit).map(v => v.trim());
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "koa",
-  "version": "3.0.0-alpha.2",
+  "version": "3.0.0-alpha.3",
   "publishConfig": {
     "tag": "experimental"
   },