Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix slow pattern and regex #3135

Merged
merged 2 commits into from
Oct 2, 2023
Merged

Fix slow pattern and regex #3135

merged 2 commits into from
Oct 2, 2023

Conversation

p4p3r
Copy link
Collaborator

@p4p3r p4p3r commented Sep 29, 2023

No description provided.

@linear
Copy link

linear bot commented Sep 29, 2023

RULES-5745 Fix evil (very very slow) rule included in auto config

This cors regex rule –
https://semgrep.dev/r?q=typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard

can take > 10s to run for a single naughty file.

See PA-3147 for more context.

lewis said in PA-3147:

Whoever does fix it should just do

      - pattern-either:
          - pattern: $CORS = [...,/$PATTERN/,...]
          - pattern: $CORS = /$PATTERN/
      - focus-metavariable: $PATTERN

and then do the desired regex inside the //, otherwise you are matching EVERY assignment and EVERY value inside a list. Plus you shouldn't rely on const just use $CORS
:homerdisappear:

@p4p3r p4p3r changed the title Fix slow regex Fix slow pattern and regex Sep 29, 2023
@p4p3r p4p3r force-pushed the claudio/rules-5745 branch from 7874e7e to 2ae85ab Compare September 29, 2023 17:55
@p4p3r p4p3r force-pushed the claudio/rules-5745 branch from 2ae85ab to 72d077a Compare September 29, 2023 17:56
LewisArdern
LewisArdern approved these changes Sep 29, 2023
View reviewed changes
Copy link
Contributor

@LewisArdern LewisArdern left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, the rule is confusing tho a wildcard CORS generally means * in the cors policy, what this means is that the domain can be something else than intended e.g.

https://quxabizabazafoobar.com

will match because of the regex since its not escaping the .

@p4p3r
Copy link
Collaborator Author

p4p3r commented Oct 2, 2023

Time on https://github.com/returntocorp/advisory-frontend/blob/main/app/api/inngest/popular-packages-2.ts:
0.97s user 0.13s system 94% cpu 1.156s total

Time on https://github.com/returntocorp/advisory-frontend/blob/main/app/api/inngest/popular-packages.ts:
0.76s user 0.13s system 93% cpu 0.950s total

@p4p3r p4p3r merged commit b50a0e9 into develop Oct 2, 2023
7 of 8 checks passed
@p4p3r p4p3r deleted the claudio/rules-5745 branch October 2, 2023 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LewisArdern LewisArdern LewisArdern approved these changes

@zzeleznick zzeleznick Awaiting requested review from zzeleznick

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@p4p3r @LewisArdern