-
-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(lib): polynomial redos routes #763
Conversation
lib/spec/openapi/utils.js
Outdated
@@ -88,7 +88,7 @@ function normalizeUrl (url, serverUrls, stripBasePath) { | |||
|
|||
function resolveServerUrls (servers) { | |||
const resolvedUrls = [] | |||
const findVariablesRegex = /{(.*?)}/g // As for OpenAPI v3 spec url variables are named in brackets, e.g. {foo} | |||
const findVariablesRegex = /\{(.*?)\}/gu // As for OpenAPI v3 spec url variables are named in brackets, e.g. {foo} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was the escape necessary?
Just curious
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without it they are treated as part of a quantifier.
@Fdawgs CodeQL is complaining about this regexp, could you take a look? |
9376349
to
45ab836
Compare
u
unicode flag to regex
This appears to have been an issue prior to this change (if you look in the Security tab of the repo). |
d26d6a2
to
698c66a
Compare
Found another one in 698c66a that CodeQL didn't pick up. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
See fastify/fastify-autoload#330
Checklist
npm run test
andnpm run benchmark
and the Code of conduct