Merge commit from fork

* regular expression term vulnerability

* regular expression term vulnerability

src/iterator.ts

@@ -37,7 +37,7 @@ export function iterator(
           // '<https://api.github.com/users/aseemk/followers?page=2>; rel="next", <https://api.github.com/users/aseemk/followers?page=2>; rel="last"'
           // sets `url` to undefined if "next" URL is not present or `link` header is not set
           url = ((normalizedResponse.headers.link || "").match(
-            /<([^>]+)>;\s*rel="next"/,
+            /<([^<>]+)>;\s*rel="next"/,
           ) || [])[1];
 
           return { value: normalizedResponse };

test/paginate.test.ts

@@ -10,6 +10,38 @@ const ORG2 = { id: 2 };
 
 const TestOctokit = Octokit.plugin(paginateRest, restEndpointMethods);
 describe("pagination", () => {
+  it("Test ReDoS - attack string", async () => {
+    const ReDosOctokit = Octokit.plugin(paginateRest);
+    const octokit = new ReDosOctokit({
+      auth: "your-github-token",
+    });
+    octokit.hook.wrap("request", async (request, options) => {
+      const maliciousLinkHeader = "" + "<".repeat(100000) + ">";
+      return {
+        data: [],
+        headers: {
+          link: maliciousLinkHeader,
+        },
+      };
+    });
+    const startTime = performance.now();
+    try {
+      for await (const normalizedResponse of octokit.paginate.iterator(
+        "GET /repos/{owner}/{repo}/issues", { owner: "DayShift", repo: "ReDos", per_page: 100 }
+      )) {}
+    } catch (error) {
+      // pass
+    }
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000; 
+
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
+    }
+  });
+
   it(".paginate()", async () => {
     const mock = fetchMock
       .createInstance()