Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix code scanning alert - Polynomial regular expression used on uncontrolled data #3501

Closed
1 task
char0n opened this issue May 8, 2024 · 4 comments · May be fixed by Jircs1/swagger-ui#3
Closed
1 task

Fix code scanning alert - Polynomial regular expression used on uncontrolled data #3501

char0n opened this issue May 8, 2024 · 4 comments · May be fixed by Jircs1/swagger-ui#3
Assignees
@glowcloud
Labels
cat: security security fix Security fix generated by WhiteSource type: bug version: 3.x

Comments

@char0n
Copy link
Member

char0n commented May 8, 2024
edited
Loading

Tracking issue for:
@char0n char0n added type: bug cat: security security fix Security fix generated by WhiteSource version: 3.x labels May 8, 2024
@glowcloud glowcloud mentioned this issue May 8, 2024
Merged
char0n added a commit that referenced this issue May 8, 2024
@glowcloud @char0n
fix(security): fix polynomial regular expression (#3502)
904ac5c 
Refs #3501

---------

Co-authored-by: Vladimír Gorej <[email protected]>
swagger-bot pushed a commit that referenced this issue May 8, 2024
@semantic-release-bot
chore(release): cut the 3.27.6 release [skip ci]
fd5d27c 
## [3.27.6](v3.27.5...v3.27.6) (2024-05-08)

### Bug Fixes

* **security:** fix polynomial regular expression ([#3502](#3502)) ([904ac5c](904ac5c)), closes [#3501](#3501)
@char0n
Copy link
Member Author

char0n commented May 8, 2024

Fully safe regexp: /\{([^{}]+)}|([^{}]+)/g

glowcloud added a commit that referenced this issue May 8, 2024
@glowcloud
fix(security): fix polynomial regular expression without limit length
dd20c57 
Refs #3501
@glowcloud glowcloud mentioned this issue May 8, 2024
Merged
@char0n
Copy link
Member Author

char0n commented May 8, 2024 

  while ((text = re.exec(str))) {
    if (text[1]) results.push(text[1]);
  }
  return results;

@char0n
Copy link
Member Author

char0n commented May 8, 2024

The issue was mitigated in #3502

@char0n
Copy link
Member Author

char0n commented May 8, 2024

The issue was fully remediated in #3507

@char0n char0n closed this as completed May 8, 2024
char0n added a commit that referenced this issue May 8, 2024
@glowcloud @char0n
fix(security): remedy polynomial regular expression without limiting …
79ae79f 
…length to 29 chars (#3507)

Refs #3501

---------

Co-authored-by: Vladimir Gorej <[email protected]>
swagger-bot pushed a commit that referenced this issue May 8, 2024
@semantic-release-bot
chore(release): cut the 3.27.7 release [skip ci]
7be6636 
## [3.27.7](v3.27.6...v3.27.7) (2024-05-08)

### Bug Fixes

* **security:** remedy polynomial regular expression without limiting length to 29 chars ([#3507](#3507)) ([79ae79f](79ae79f)), closes [#3501](#3501)
@Jircs1 Jircs1 mentioned this issue Jul 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@glowcloud glowcloud

Labels
cat: security security fix Security fix generated by WhiteSource type: bug version: 3.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Snyk] Upgrade swagger-client from 3.26.7 to 3.28.2 Jircs1/swagger-ui
2 participants
@char0n @glowcloud