From 0fa034ed6dfd65942c8cb71bacd97cec0a448017 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 29 May 2026 10:17:42 -0400 Subject: [PATCH] fix(discord): reject unsafe rate limit headers --- extensions/discord/src/internal/rest-routes.test.ts | 8 ++++++++ extensions/discord/src/internal/rest-routes.ts | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/extensions/discord/src/internal/rest-routes.test.ts b/extensions/discord/src/internal/rest-routes.test.ts index e3c8a789cad..5027a583891 100644 --- a/extensions/discord/src/internal/rest-routes.test.ts +++ b/extensions/discord/src/internal/rest-routes.test.ts @@ -14,6 +14,14 @@ describe("Discord REST rate limit header parsing", () => { expect(readHeaderNumber(headers, "X-RateLimit-Reset-After")).toBeUndefined(); }); + it("rejects unsafe finite numeric header magnitudes", () => { + const headers = new Headers({ + "X-RateLimit-Reset-After": "9007199254740993", + }); + + expect(readHeaderNumber(headers, "X-RateLimit-Reset-After")).toBeUndefined(); + }); + it("keeps decimal reset headers working", () => { vi.useFakeTimers(); vi.setSystemTime(new Date("2026-05-28T12:00:00.000Z")); diff --git a/extensions/discord/src/internal/rest-routes.ts b/extensions/discord/src/internal/rest-routes.ts index 3ba0fee7a01..67a99bbf543 100644 --- a/extensions/discord/src/internal/rest-routes.ts +++ b/extensions/discord/src/internal/rest-routes.ts @@ -32,7 +32,9 @@ export function readHeaderNumber(headers: Headers, name: string): number | undef return undefined; } const parsed = Number(trimmed); - return Number.isFinite(parsed) ? parsed : undefined; + return Number.isFinite(parsed) && Math.abs(parsed) <= Number.MAX_SAFE_INTEGER + ? parsed + : undefined; } export function readResetAt(response: Response): number | undefined {