Skip to content

Fix code scanning alert no. 14: Inefficient regular expression #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tacxou merged 1 commit into from
Nov 22, 2024
Merged

Fix code scanning alert no. 14: Inefficient regular expression #40

tacxou merged 1 commit into from
Nov 22, 2024

Conversation

@tacxou
Copy link
Member

@tacxou tacxou commented Nov 22, 2024

Fixes https://github.com/Libertech-FR/sesame-orchestrator/security/code-scanning/14

To fix the problem, we need to modify the regular expression to remove the ambiguity that causes exponential backtracking. Specifically, we can change the part of the regular expression that matches any character except / and \0 to be more specific and avoid nested repetitions.

  • The original regular expression: ^\/(\.?[^\/\0]+\/?)+$
  • The problematic part: [^\/\0]+ inside (\.?[^\/\0]+\/?)+

We can replace [^\/\0]+ with a more specific pattern that avoids ambiguity. One way to do this is to use a non-capturing group and ensure that the pattern does not allow for multiple ways to match the same string.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@tacxou @github-advanced-security
Fix code scanning alert no. 14: Inefficient regular expression
3b720eb 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@tacxou tacxou marked this pull request as ready for review November 22, 2024 10:30
@tacxou tacxou merged commit 02e3ef8 into main Nov 22, 2024
1 of 3 checks passed
@tacxou tacxou deleted the alert-autofix-14 branch November 22, 2024 10:30
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 22, 2024
View reviewed changes
src/core/filestorage/_dto/filestorage.dto.ts
@IsNotEmpty()
@ApiProperty({ type: String, default: '/' })
@Matches(/^\/(\.?[^\/\0]+\/?)+$/, { message: 'Path must be a valid path' })
@Matches(/^\/(?:\.?[^\/\0]+\/?)+$/, { message: 'Path must be a valid path' })

Check failure

Code scanning / CodeQL

Inefficient regular expression High

This part of the regular expression may cause exponential backtracking on strings starting with '/' and containing many repetitions of '.'.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to modify the regular expression to remove the ambiguity that causes exponential backtracking. We can achieve this by making the sub-expression more specific and avoiding nested quantifiers. Specifically, we can replace \.?[^\/\0]+\/? with a more precise pattern that matches valid path segments without ambiguity.

The best way to fix the problem is to use a non-capturing group that matches either a single dot or a sequence of characters that are not slashes or null characters. This will eliminate the nested quantifiers and prevent exponential backtracking.

Suggested changeset 1
src/core/filestorage/_dto/filestorage.dto.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/core/filestorage/_dto/filestorage.dto.ts b/src/core/filestorage/_dto/filestorage.dto.ts
--- a/src/core/filestorage/_dto/filestorage.dto.ts
+++ b/src/core/filestorage/_dto/filestorage.dto.ts
@@ -35,3 +35,3 @@
   @ApiProperty({ type: String, default: '/' })
-  @Matches(/^\/(?:\.?[^\/\0]+\/?)+$/, { message: 'Path must be a valid path' })
+  @Matches(/^\/(?:\.[^\/\0]*|[^\/\0]+\/?)+$/, { message: 'Path must be a valid path' })
   public path: string;
EOF
@@ -35,3 +35,3 @@
@ApiProperty({ type: String, default: '/' })
@Matches(/^\/(?:\.?[^\/\0]+\/?)+$/, { message: 'Path must be a valid path' })
@Matches(/^\/(?:\.[^\/\0]*|[^\/\0]+\/?)+$/, { message: 'Path must be a valid path' })
public path: string;
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tacxou