Fix code scanning alert no. 2796: Inefficient regular expression #117
Conversation
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
...gic_via_Chrome.webarchive/Technical Note TN2124 Mac OS X Debugging Magic_files/prototype.js
Fixed
Show fixed
Hide fixed
idk if this will work, but let's give it a try... Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
...gic_via_Chrome.webarchive/Technical Note TN2124 Mac OS X Debugging Magic_files/prototype.js
Fixed
Show fixed
Hide fixed
sheesh, again? Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
...gic_via_Chrome.webarchive/Technical Note TN2124 Mac OS X Debugging Magic_files/prototype.js
Fixed
Show fixed
Hide fixed
...gic_via_Chrome.webarchive/Technical Note TN2124 Mac OS X Debugging Magic_files/prototype.js
Fixed
Show fixed
Hide fixed
aaaaah stop it already Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
| @@ -4037,7 +4037,7 @@ | |||
| }, | |||
| split: function (b) { | |||
| var a = []; | |||
| b.scan(/(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/, function (c) { | |||
| b.scan(/(([\w#:.~>+()]+|[\t\n\r\f\v-]*?|\*|\[[^\]]*?\])+)\s*(,|$)/, function (c) { | |||
Check failure
Code scanning / CodeQL
Inefficient regular expression High documentation
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 5 months ago
To fix the problem, we need to modify the regular expression to remove the ambiguity that causes exponential backtracking. Specifically, we can replace the ambiguous character class [\w#:.~>+()]+ with a more precise expression that avoids nested quantifiers.
The best way to fix this is to ensure that the sub-expressions within the regular expression are not ambiguous and do not lead to excessive backtracking. We can achieve this by breaking down the character class into more specific parts and ensuring that each part is matched deterministically.
| @@ -4039,3 +4039,3 @@ | ||
| var a = []; | ||
| b.scan(/(([\w#:.~>+()]+|[\t\n\r\f\v-]*?|\*|\[[^\]]*?\])+)\s*(,|$)/, function (c) { | ||
| b.scan(/(([\w#:.~>+()]+|[\t\n\r\f\v-]+|\*|\[[^\]]*\])+)\s*(,|$)/, function (c) { | ||
| a.push(c[1].strip()); |
| @@ -4037,7 +4037,7 @@ | |||
| }, | |||
| split: function (b) { | |||
| var a = []; | |||
| b.scan(/(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/, function (c) { | |||
| b.scan(/(([\w#:.~>+()]+|[\t\n\r\f\v-]*?|\*|\[[^\]]*?\])+)\s*(,|$)/, function (c) { | |||
Check failure
Code scanning / CodeQL
Inefficient regular expression High documentation
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 5 months ago
To fix the problem, we need to modify the regular expression to remove the ambiguity that causes exponential backtracking. The sub-expression [\t\n\r\f\v-]*? can be rewritten to avoid ambiguity. One way to achieve this is by using a non-greedy match for the specific characters and ensuring that the pattern does not allow for multiple ways to match the same string.
| @@ -4039,3 +4039,3 @@ | ||
| var a = []; | ||
| b.scan(/(([\w#:.~>+()]+|[\t\n\r\f\v-]*?|\*|\[[^\]]*?\])+)\s*(,|$)/, function (c) { | ||
| b.scan(/(([\w#:.~>+()]+|[\t\n\r\f\v-]+|\*|\[[^\]]*?\])+)\s*(,|$)/, function (c) { | ||
| a.push(c[1].strip()); |
|
ok these fix suggestions are just going in circles, undoing and redoing previous suggestions... I give up. |
Fixes https://github.com/cooljeanius/apple-gdb-1824/security/code-scanning/2796
To fix the problem, we need to modify the regular expression to remove the ambiguity that causes exponential backtracking. Specifically, we should replace the
.*?pattern with a more precise pattern that avoids ambiguity. In this case, we can use a negated character class to match any character except the closing bracket], which will prevent the regular expression engine from backtracking excessively..*?with a negated character class that matches any character except the closing bracket].splitfunction from/(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/to/(([\w#:.~>+()\s-]+|\*|\[[^\]]*?\])+)\s*(,|$)/.src/contrib/doc/Apple/TN2124_MacOSX_Debugging_Magic_via_Chrome.webarchive/Technical Note TN2124 Mac OS X Debugging Magic_files/prototype.js.Suggested fixes powered by Copilot Autofix. Review carefully before merging.