fix(faq-bot): reject nested unbounded quantifiers hidden behind wrapping groups (v0.1.3)#6
Merged
Merged
Conversation
…ing groups (v0.1.3) The regex safety check only flagged a group that was directly quantified, so an extra layer of parentheses — ((a+))+ , (((a+)))* — slipped a catastrophic-backtracking pattern through. A group's "contains an unbounded quantifier" property now propagates to its enclosing group even when the inner group isn't itself quantified, so wrapping can no longer hide the nesting. Single-quantifier grouped patterns like ((ab)+) stay accepted.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up hardening for faq-bot, released as v0.1.3.
The regex safety check added in v0.1.2 only flagged a group that was directly quantified. A group's "contains an unbounded quantifier" property was discarded when the group closed without a trailing quantifier, so wrapping a catastrophic pattern in an extra layer of parentheses slipped it through:
((a+))+,(((a+)))*,((\w+\s?))*were accepted and remained catastrophic-backtracking.The check now propagates that property to the enclosing group even when the inner group isn't itself quantified, so a wrapping group can no longer hide the nesting. Single-quantifier grouped patterns (e.g.
((ab)+),(a+),((cat|dog))) are still accepted — no over-rejection.Known, unchanged limitation (documented in code): the heuristic addresses the nested-quantifier class, not overlapping-alternation ReDoS (e.g.
(a|a)*); the upgrade path is a linear-time engine.Tests
((a+))+,(((a+)))*,((\w+\s?))*are skipped;((ab)+),(a+),((cat|dog))are kept.tsc --noEmitclean, bundle packages cleanly.