Fix slow regex

semgrep · Sep 29, 2023 · 6b8f98d · 6b8f98d
1 parent c926e0d
commit 6b8f98d
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 50 deletions.
diff --git a/typescript/lang/security/audit/cors-regex-wildcard.tsx b/typescript/lang/security/audit/cors-regex-wildcard.tsx
@@ -1,31 +1,33 @@
-// ruleid: cors-regex-wildcard
 const corsDomains = [
-    /localhost\:/,
-    /(.+\.)*foo\.com$/,
-    /(.+\.)*foobar\.com$/, // matches *.foobar.com,
-    /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
-    /^(http|https):\/\/www\.bar\.com$/,
-    /^(http|https):\/\/www.foo.com$/,
+  /localhost\:/,
+  /(.+\.)*foo\.com$/,
+  /(.+\.)*foobar\.com$/, // matches *.foobar.com,
+  // ruleid: cors-regex-wildcard
+  /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
+  /^(http|https):\/\/www\.bar\.com$/,
+  // ruleid: cors-regex-wildcard
+  /^(http|https):\/\/www.foo.com$/,
 ];
 
-// ruleid: cors-regex-wildcard
 const CORS = [
-    /localhost\:/,
-    /(.+\.)*foo\.com$/,
-    /(.+\.)*foobar\.com$/, // matches *.foobar.com,
-    /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
-    /^(http|https):\/\/www\.bar\.com$/,
-    /^(http|https):\/\/www.foo.com$/,
+  /localhost\:/,
+  /(.+\.)*foo\.com$/,
+  /(.+\.)*foobar\.com$/, // matches *.foobar.com,
+  // ruleid: cors-regex-wildcard
+  /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
+  /^(http|https):\/\/www\.bar\.com$/,
+  // ruleid: cors-regex-wildcard
+  /^(http|https):\/\/www.foo.com$/,
 ];
 
 // ruleid: cors-regex-wildcard
 const corsOrigin = /^(http|https):\/\/www.foo.com$/;
 
 const urls = [
-    /localhost\:/,
-    /(.+\.)*foo\.com$/,
-    /(.+\.)*foobar\.com$/, // matches *.foobar.com,
-    /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
-    /^(http|https):\/\/www\.bar\.com$/,
-    /^(http|https):\/\/www.foo.com$/,
+  /localhost\:/,
+  /(.+\.)*foo\.com$/,
+  /(.+\.)*foobar\.com$/, // matches *.foobar.com,
+  /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
+  /^(http|https):\/\/www\.bar\.com$/,
+  /^(http|https):\/\/www.foo.com$/,
 ];
diff --git a/typescript/lang/security/audit/cors-regex-wildcard.yaml b/typescript/lang/security/audit/cors-regex-wildcard.yaml
@@ -1,31 +1,35 @@
 rules:
-- id: cors-regex-wildcard
-  message: "Unescaped '.' character in CORS domain regex $CORS: $PATTERN"
-  metadata:
-    cwe:
-    - 'CWE-183: Permissive List of Allowed Inputs'
-    category: security
-    technology:
-    - cors
-    owasp:
-    - A04:2021 - Insecure Design
-    references:
-    - https://owasp.org/Top10/A04_2021-Insecure_Design
-    subcategory:
-    - audit
-    likelihood: LOW
-    impact: LOW
-    confidence: LOW
-  languages:
-  - ts
-  severity: WARNING
-  patterns:
-  - pattern-either:
-    - pattern: const $CORS = [...,$PATTERN,...]
-    - pattern: const $CORS = $PATTERN
-  - metavariable-regex:
-      metavariable: $PATTERN
-      regex: .+?(?<!\\).\..+(?<!\\)\..+
-  - metavariable-regex:
-      metavariable: $CORS
-      regex: (?i)cors
+  - id: cors-regex-wildcard
+    message: "Unescaped '.' character in CORS domain regex $CORS: $PATTERN"
+    metadata:
+      cwe:
+        - "CWE-183: Permissive List of Allowed Inputs"
+      category: security
+      technology:
+        - cors
+      owasp:
+        - A04:2021 - Insecure Design
+      references:
+        - https://owasp.org/Top10/A04_2021-Insecure_Design
+      subcategory:
+        - audit
+      likelihood: LOW
+      impact: LOW
+      confidence: LOW
+      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
+      vulnerability_class:
+        - Improper Validation
+    languages:
+      - ts
+    severity: WARNING
+    patterns:
+      - pattern-either:
+          - pattern: $CORS = [...,/$PATTERN/,...]
+          - pattern: $CORS = /$PATTERN/
+      - focus-metavariable: $PATTERN
+      - metavariable-regex:
+          metavariable: $PATTERN
+          regex: .+?(?<!\\).\..+(?<!\\)\..+
+      - metavariable-regex:
+          metavariable: $CORS
+          regex: (?i)cors