Merge canary into main: path security, Zod validation, AI enhancements, infra updates#180
Merge canary into main: path security, Zod validation, AI enhancements, infra updates#180
Conversation
|
@copilot Fix these issues: Please resolve the following Polynomial ReDoS vulnerabilities identified by CodeQL in backend/main.py. For each issue, rewrite the regex to be "linear" or "possessive" to prevent catastrophic backtracking. Issue 1: Duration Unit Parsing Location: Inside the _to_seconds function (the re.finditer call). Problem: The group (?P\d+(?:.\d+)?)\s* combined with the long list of optional units can be exploited if a user provides a very long string of numbers and spaces without a valid unit terminator. Fix Required: Simplify the numeric matching and ensure the unit boundaries are strict. Issue 2: "From...To..." Extraction Location: m = re.search(r"from\s+([^\s]+(?:\s*[a-z]+)?)\s+to\s+([^\s]+(?:\s*[a-z]+)?)", text) Problem: The nested optional groups ([^\s]+(?:\s*[a-z]+)?) are the culprit. When the engine fails to find a match, it tries every possible permutation of spaces and letters, leading to exponential complexity (specifically triggered by strings like "from !" followed by many "aa"). Fix Required: Refactor to avoid nested quantifiers. Use a simpler non-whitespace match or a non-backtracking approach. Issue 3: "Long" Duration Parsing Location: m4 = re.search(r"(?:to\s+)?([^\s]+(?:\s*[a-z]+)?)\s+long", text) Problem: Similar to Issue 2, the ([^\s]+(?:\s*[a-z]+)?) pattern is unstable. CodeQL notes it fails on strings with many repetitions of !. Fix Required: Replace the capture group with a more restrictive pattern that doesn't "loop inside a loop." Issue 4: "Set to/Make it" Parsing Location: m5 = re.search(r"(?:set\s+(?:it\s+)?to|make\s+(?:it\s+)?)\s+([^\s]+(?:\s*[a-z]+)?)", text) Problem: The combination of multiple optional words (it, to) followed by the same problematic ([^\s]+(?:\s*[a-z]+)?) group. This is vulnerable to "ambiguous matching" where the engine gets lost in the spaces. Fix Required: Flatten the regex and use atomic grouping or simpler delimiters. |
Co-authored-by: sr2echa <65058816+sr2echa@users.noreply.github.com>
Fixed in 6dcd2f2. Summary of each change: Issue 1 ( Issues 2–4 (and also Adversarial inputs of 5,000 characters now complete in <0.2 ms. CodeQL reports 0 alerts. |
* re-introduce project sync * refactor: streamline media deletion logic in useMediaBin hook * refactor: enhance path security and streamline file handling in timeline and video render modules * feat: enhance AI functionality + ChatBox with context menu and utilities * feat: integrate zod validation * chore: update environment configuration and Docker settings * chore: update frontend server port in nginx configuration * feat: left pannel bar * Bump react-router from 7.7.1 to 7.12.0 Bumps [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router) from 7.7.1 to 7.12.0. - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router@7.12.0/packages/react-router) --- updated-dependencies: - dependency-name: react-router dependency-version: 7.12.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Merge canary into main: path security, Zod validation, AI enhancements, infra updates (#180) * Initial plan * Fix 4 Polynomial ReDoS vulnerabilities in backend/main.py regexes Co-authored-by: sr2echa <65058816+sr2echa@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: sr2echa <65058816+sr2echa@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: sr2echa <65058816+sr2echa@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
_to_secondsregex — bound quantifiers ({1,15},{1,10}), replace\s*with[ ]?, order units longest-firstfrom...toregex — replace[^\s]+(?:\s*[a-z]+)?with[0-9][0-9.]*[a-z]*(?:[ ][a-z]{1,12})?longduration regex — same fix as Issues 2/4set to / make itregex — same fixm2andm3patterns (at/from and for/span patterns)💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.