* Creates a chain of decompressors for multiple content encodings * * @param {string} encodings - Comma-separated list of content encodings * @returns {Array } - Array of decompressor streams * @throws {Error} - If the number of content-encodings exceeds the maximum al
(encodings)
| 64 | * @throws {Error} - If the number of content-encodings exceeds the maximum allowed |
| 65 | */ |
| 66 | #createDecompressionChain (encodings) { |
| 67 | const parts = encodings.split(',') |
| 68 | |
| 69 | // Limit the number of content-encodings to prevent resource exhaustion. |
| 70 | // CVE fix similar to urllib3 (GHSA-gm62-xv2j-4w53) and curl (CVE-2022-32206). |
| 71 | const maxContentEncodings = 5 |
| 72 | if (parts.length > maxContentEncodings) { |
| 73 | throw new Error(`too many content-encodings in response: ${parts.length}, maximum allowed is ${maxContentEncodings}`) |
| 74 | } |
| 75 | |
| 76 | /** @type {DecompressorStream[]} */ |
| 77 | const decompressors = [] |
| 78 | |
| 79 | for (let i = parts.length - 1; i >= 0; i--) { |
| 80 | const encoding = parts[i].trim() |
| 81 | if (!encoding) continue |
| 82 | |
| 83 | if (!supportedEncodings[encoding]) { |
| 84 | decompressors.length = 0 // Clear if unsupported encoding |
| 85 | return decompressors // Unsupported encoding |
| 86 | } |
| 87 | |
| 88 | decompressors.push(supportedEncodings[encoding]()) |
| 89 | } |
| 90 | |
| 91 | return decompressors |
| 92 | } |
| 93 | |
| 94 | /** |
| 95 | * Sets up event handlers for a decompressor stream using readable events |