Skip to content

fix: replace COMMENT_REGEX to prevent ReDoS vulnerability#556

Merged
remarkablemark merged 2 commits into
masterfrom
fix/regex
Jul 6, 2026
Merged

fix: replace COMMENT_REGEX to prevent ReDoS vulnerability#556
remarkablemark merged 2 commits into
masterfrom
fix/regex

Conversation

@remarkablemark

Copy link
Copy Markdown
Owner

What is the motivation for this pull request?

Bug fix: COMMENT_REGEX used a nested quantifier pattern that is vulnerable to polynomial backtracking (ReDoS) on adversarial input strings.

What is the current behavior?

The pattern /\/\*[^*]*\*+([^/*][^*]*\*+)*\//g has nested quantifiers that can cause polynomial backtracking on strings starting with /** with many repetitions of )\/**, triggering a CodeQL high-severity alert: Polynomial regular expression used on uncontrolled data.

What is the new behavior?

COMMENT_REGEX is replaced with /\/\*[\s\S]*?\*\//g, a lazy match with no nested quantifiers that eliminates the backtracking risk.

Checklist:

- Replace nested quantifier pattern with lazy match to eliminate polynomial backtracking
- Fix CodeQL: polynomial regular expression used on uncontrolled data
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (6097b05) to head (eb7d005).

Additional details and impacted files
@@            Coverage Diff            @@
##            master      #556   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines          100       100           
  Branches        17        17           
=========================================
  Hits           100       100           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@remarkablemark remarkablemark self-assigned this Jul 6, 2026
@remarkablemark remarkablemark added the bug Something isn't working label Jul 6, 2026
@mergify

mergify Bot commented Jul 6, 2026

Copy link
Copy Markdown

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@remarkablemark remarkablemark changed the title fix: replace COMMENT_REGEX to prevent ReDoS vulnerability fix: replace COMMENT_REGEX to prevent ReDoS vulnerability Jul 6, 2026
- Replace lazy quantifier with mutually exclusive alternatives to eliminate backtracking
- Add test cases for adversarial comment inputs
@remarkablemark remarkablemark merged commit 08faa75 into master Jul 6, 2026
13 checks passed
@remarkablemark remarkablemark deleted the fix/regex branch July 6, 2026 05:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant