From 63f8e98add7dfe202e29ff5dbdda5cff4b9b99b4 Mon Sep 17 00:00:00 2001 From: Dorian Niemiec Date: Fri, 15 Dec 2023 00:05:22 +0100 Subject: [PATCH] SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities. --- svr.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/svr.js b/svr.js index 53b22b2..9623fb6 100644 --- a/svr.js +++ b/svr.js @@ -1282,6 +1282,7 @@ if (!fs.existsSync(__dirname + "/config.json")) { } var certificateError = null; +var sniReDos = false; // Load SNI if (secure) { @@ -1291,6 +1292,9 @@ if (secure) { var sniNames = Object.keys(sni); var sniCredentials = []; sniNames.forEach(function (sniName) { + if(typeof sniName === "string" && sniName.match(/\*[^*.]*\*[^*.]*(?:\.|$)/)) { + sniReDos = true; + } sniCredentials.push({ name: sniName, cert: fs.readFileSync((sni[sniName].cert[0] != "/" && !sni[sniName].cert.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + sni[sniName].cert : sni[sniName].cert).toString(), @@ -4892,6 +4896,7 @@ function start(init) { } if (certificateError) throw new Error("There was a problem with SSL certificate/private key: " + certificateError.message); if (wwwrootError) throw new Error("There was a problem with your web root: " + wwwrootError.message); + if (sniReDos) throw new Error("Refusing to start, because the current SNI configuration would make the server vulnerable to ReDoS."); } // Information about starting the server