Skip to content

Potential fix for code scanning alert no. 59: Inefficient regular expression #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Git-Hub-Chris merged 11 commits into from
Oct 2, 2025
Merged

Potential fix for code scanning alert no. 59: Inefficient regular expression #10

Git-Hub-Chris merged 11 commits into from
Oct 2, 2025

Conversation

@Git-Hub-Chris
Copy link
Owner

@Git-Hub-Chris Git-Hub-Chris commented Sep 15, 2025

Potential fix for https://github.com/Git-Hub-Chris/MicrosoftVsCode/security/code-scanning/59

The fix involves rewriting the ambiguous and potentially catastrophic part of the regex to ensure each iteration of the repetition "owns" its whitespace and arrow parts in an unambiguous way. Specifically:

  • Replace the inner (?:\s+->\s+(?<file2>.*))* so the whitespace around the -> cannot be confused with the trailing whitespace in its own file capture (i.e., .*? will try to consume whitespace, which can be then grabbed in the following repetition).
  • Instead of .*?, use something that will not overlap with the separator: for example, capture everything up to the -> or the end of line. This can be accomplished with a negated lookahead or by using a character class to exclude the separator sequence.
  • Use [^\s] or ([^\r\n]|(?!\s+->)) type approach to avoid ambiguity, but here we can use a character class that matches anything except the start of a separator, or a "greedy but up-to" match.

For Git diff files, filenames in commit messages do not contain literal tabs or ->, so matching up to the separator is safe.

Thus, for each "file" in the arrow-separated chain, we match any text up to (but not including) the next separator, replacing .*? with something like [^\r\n]+? (stopping at separator), or a lazy match up to lookahead for \s+-> or end of string.

So, rewrite as:

  • For file1: [^\r\n]+?
  • For file2: in the repeated group, say (?<file2>[^\r\n]+?)
  • For the repeated group, use a lookahead so the repeated whitespace and arrows can't be split up in exponentially many ways.

Concrete edit:
Replace this (line 70):

private readonly _regex = /^#\s+(modified|new file|deleted|renamed|copied|type change):\s+(?<file1>.*?)(?:\s+->\s+(?<file2>.*))*$/gm;

with:

private readonly _regex = /^#\s+(modified|new file|deleted|renamed|copied|type change):\s+(?<file1>[^\r\n]+?)(?:\s+->\s+(?<file2>[^\r\n]+?))*$/gm;

Now, each file is matched up to the next separator or end of line, never consuming separator whitespace in ambiguous ways.

No new imports or utility methods are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@Git-Hub-Chris @github-advanced-security
Potential fix for code scanning alert no. 59: Inefficient regular exp…
7a287f5 
…ression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 15, 2025
View reviewed changes
@Git-Hub-Chris Git-Hub-Chris marked this pull request as ready for review October 2, 2025 06:24
@Git-Hub-Chris Git-Hub-Chris merged commit 8d65630 into Main Oct 2, 2025
11 checks passed
@Git-Hub-Chris Git-Hub-Chris deleted the alert-autofix-59 branch October 2, 2025 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Git-Hub-Chris