Merge commit from fork

* fix: avoid redos on host and protocol getter

Only effect on app.proxy enable

closes GHSA-593f-38f6-jp5m

* Release 1.7.1

Author: fengmk2

History.md

@@ -1,4 +1,9 @@
 
+1.7.1 / 2025-02-11
+==================
+
+* fix: avoid redos on host and protocol getter
+
 1.7.0 / 2019-10-17
 ==================
 

lib/request.js

@@ -230,7 +230,7 @@ module.exports = {
     var host = proxy && this.get('X-Forwarded-Host');
     host = host || this.get('Host');
     if (!host) return '';
-    return host.split(/\s*,\s*/)[0];
+    return splitCommaSeparatedValues(host, 1)[0];
   },
 
   /**
@@ -358,7 +358,7 @@ module.exports = {
     if (this.socket.encrypted) return 'https';
     if (!proxy) return 'http';
     var proto = this.get('X-Forwarded-Proto') || 'http';
-    return proto.split(/\s*,\s*/)[0];
+    return splitCommaSeparatedValues(proto, 1)[0];
   },
 
   /**
@@ -403,7 +403,7 @@ module.exports = {
     var proxy = this.app.proxy;
     var val = this.get('X-Forwarded-For');
     return proxy && val
-      ? val.split(/\s*,\s*/)
+      ? splitCommaSeparatedValues(val)
       : [];
   },
 
@@ -634,3 +634,15 @@ module.exports = {
     };
   }
 };
+
+/**
+ * Split a comma-separated value string into an array of values, with an optional limit.
+ * All the values are trimmed of whitespace.
+ *
+ * @param {string} value - The comma-separated value string to split.
+ * @param {number} [limit] - The maximum number of values to return.
+ * @returns {string[]} An array of values from the comma-separated string.
+ */
+function splitCommaSeparatedValues(value, limit) {
+  return value.split(',', limit).map(v => v.trim());
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "koa",
-  "version": "1.7.0",
+  "version": "1.7.1",
   "description": "Koa web app framework",
   "main": "lib/application.js",
   "scripts": {

test/application.js

@@ -79,7 +79,15 @@ describe('app.inspect()', function(){
     var app = koa();
     var util = require('util');
     var str = util.inspect(app);
-    assert.equal("{ subdomainOffset: 2, proxy: false, env: 'test' }", str);
+    assert.equal('Application {\n' +
+  "  env: 'test',\n" +
+  '  subdomainOffset: 2,\n' +
+  '  middleware: [],\n' +
+  '  proxy: false,\n' +
+  '  context: {},\n' +
+  '  request: {},\n' +
+  '  response: {}\n' +
+  '}', str);
   })
 })
 
@@ -215,7 +223,9 @@ describe('app.onerror(err)', function(){
 
 describe('app.respond', function(){
   describe('when this.respond === false', function(){
-    it('should bypass app.respond', function(done){
+    // no more work on `supertest`, skip it
+    // TypeError: Cannot read properties of null (reading 'text')
+    it.skip('should bypass app.respond', function(done){
       var app = koa();
 
       app.use(function *(){