Skip to content

fix(faq-bot): reject nested unbounded quantifiers hidden behind wrapping groups (v0.1.3)#6

Merged
rmyndharis merged 1 commit into
mainfrom
faq-bot-redos-grouped-nesting
Jun 23, 2026
Merged

fix(faq-bot): reject nested unbounded quantifiers hidden behind wrapping groups (v0.1.3)#6
rmyndharis merged 1 commit into
mainfrom
faq-bot-redos-grouped-nesting

Conversation

@rmyndharis

Copy link
Copy Markdown
Owner

Summary

Follow-up hardening for faq-bot, released as v0.1.3.

The regex safety check added in v0.1.2 only flagged a group that was directly quantified. A group's "contains an unbounded quantifier" property was discarded when the group closed without a trailing quantifier, so wrapping a catastrophic pattern in an extra layer of parentheses slipped it through:

  • ((a+))+, (((a+)))*, ((\w+\s?))* were accepted and remained catastrophic-backtracking.

The check now propagates that property to the enclosing group even when the inner group isn't itself quantified, so a wrapping group can no longer hide the nesting. Single-quantifier grouped patterns (e.g. ((ab)+), (a+), ((cat|dog))) are still accepted — no over-rejection.

Known, unchanged limitation (documented in code): the heuristic addresses the nested-quantifier class, not overlapping-alternation ReDoS (e.g. (a|a)*); the upgrade path is a linear-time engine.

Tests

  • New: ((a+))+, (((a+)))*, ((\w+\s?))* are skipped; ((ab)+), (a+), ((cat|dog)) are kept.
  • Full suite green (106 tests), tsc --noEmit clean, bundle packages cleanly.

…ing groups (v0.1.3)

The regex safety check only flagged a group that was directly quantified, so an extra
layer of parentheses — ((a+))+ , (((a+)))* — slipped a catastrophic-backtracking pattern
through. A group's "contains an unbounded quantifier" property now propagates to its
enclosing group even when the inner group isn't itself quantified, so wrapping can no
longer hide the nesting. Single-quantifier grouped patterns like ((ab)+) stay accepted.
@rmyndharis rmyndharis merged commit f593c5b into main Jun 23, 2026
1 check passed
@rmyndharis rmyndharis deleted the faq-bot-redos-grouped-nesting branch June 23, 2026 10:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant