abbyswag/qwen-code
1
0
Fork 0
mirror of https://github.com/QwenLM/qwen-code.git synced 2025-12-20 08:47:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Avoid ReDoS by using better regexes

Browse Source
This commit is contained in:
Alexander Farber
2025-12-15 16:23:17 +01:00
parent 5d94763581
commit 1956507d90
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
packages/core/src/tools/shell.ts
View File

@@ -362,15 +362,19 @@ Co-authored-by: ${gitCoAuthorSettings.name} <${gitCoAuthorSettings.email}>`;
// Handle different git commit patterns // Handle different git commit patterns
// Match -m "message" or -m 'message', including combined flags like -am // Match -m "message" or -m 'message', including combined flags like -am
const messagePattern = /(-[a-zA-Z]*m\s+)(['"])((?:\\.|[^\\])*?)(\2)/; // Use separate patterns to avoid ReDoS (catastrophic backtracking)
const match = command.match(messagePattern); const doubleQuotePattern = /(-[a-zA-Z]*m\s+)"((?:[^"\\]|\\.)*)"/;
const singleQuotePattern = /(-[a-zA-Z]*m\s+)'((?:[^'\\]|\\.)*)'/;
const match =
command.match(doubleQuotePattern) || command.match(singleQuotePattern);
const quote = command.match(doubleQuotePattern) ? '"' : "'";
console.error('[gitCoAuthor] Message pattern match:', match ? 'YES' : 'NO'); console.error('[gitCoAuthor] Message pattern match:', match ? 'YES' : 'NO');
if (match) { if (match) {
const [fullMatch, prefix, quote, existingMessage, closingQuote] = match; const [fullMatch, prefix, existingMessage] = match;
const newMessage = existingMessage + coAuthor; const newMessage = existingMessage + coAuthor;
const replacement = prefix + quote + newMessage + closingQuote; const replacement = prefix + quote + newMessage + quote;
console.error('[gitCoAuthor] Adding co-author trailer'); console.error('[gitCoAuthor] Adding co-author trailer');
return command.replace(fullMatch, replacement); return command.replace(fullMatch, replacement);