-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed possible regular expression catastrophic backtracking #105
Conversation
I don't think the failing CI has anything to do with the PR - let me know if it does. |
Hey, any progress on this? This is a blocking issue for me... Thanks a lot, |
@marekdedic, apologies for the late reply. Could you provide some tests and changelog entry for this? |
Hi, thanks for the reply anyway 🙂 I've added a changelog entry, however, I'm a bit stuck with the tests, see #126. |
@marekdedic I had a look at the example you provided and after adding https://regex101.com/r/MlbAhW/1 vs https://regex101.com/r/MlbAhW/2 I don't think this is correct? |
Hmm, it's not correct. I don't really know how to fix it though, as I am not really sure what the |
To be honest, I don't know either. I have not written this package and I am only maintaining it. Approving PR and releasing the new versions. The only person who knows is @anandthakker, but he is not responsive :( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does not seem to work...
Hi, So I do actually think this PR is correct, however there is one more thing... We can actually undo #88 with this change and simplify it! |
(and undoing #88 would allow for testing for catastrophic regexes...) |
Hi, the PR is now working and with tests for unsafe regexes (not limited to the one in #95) |
Hmm, so the tests wouldn't catch #95. I've tried switching safe-regex for vuln-regex-detector but that seems to be abandoned... So at least an imperfect test... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I said before, I am not able to fairly judge the changes. If you confident this is correct, I am fine with merging it and releasing as next version.
And thank you for putting effort into this! :) |
Hold your horses. I think I've found some more performance issues with this function. Going to go for a different solution to solve it once and for all. |
Hi, I've reworked it to not use such a horrendous regex but a simpler function instead. Unit tests pass, tried it on 2 of my projects, same output, no performance issues. I think you can merge this now. |
Let's give it a try and release it as next major version :) |
Fixes #95