Skip to content

Potential fix for code scanning alert no. 60: Inefficient regular expression #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Git-Hub-Chris merged 4 commits into from
Oct 4, 2025
Merged

Potential fix for code scanning alert no. 60: Inefficient regular expression #19

Git-Hub-Chris merged 4 commits into from
Oct 4, 2025

Conversation

@Git-Hub-Chris
Copy link
Owner

@Git-Hub-Chris Git-Hub-Chris commented Sep 16, 2025

Potential fix for https://github.com/Git-Hub-Chris/MicrosoftVsCode/security/code-scanning/60

To fix the problem, we need to rewrite the regular expression on line 70 to avoid ambiguous subpatterns that could be matched in multiple ways during backtracking—specifically, the .* and .*? patterns. In this context, the regular expression is used to identify and extract file paths in status/comment lines from git, which almost always use non-whitespace file names (with possible spaces but not newlines or tabs). We should make the capturing patterns more specific, such that file1 and file2 will not match the '->' separator or newline, and also will not greedily over-match white space separators.

We can thus replace .* with something like \S.*? or [^->\n]+ (excluding the '->' token or at least newline and the separator), or more conservatively, match everything up to the next separator or EOL. Commonly, file names in this context do not contain the substring ' -> '; so, we can use a negated character group or non-greedy matching up to the next separator.

Proposed change:

  • Replace .*? (for file1) with a capture like [^\n]+? or perhaps more strictly [^-][^>\n]+? (but that gets awkward)
  • Replace .* (for file2) within the repeated group with a similarly constrained pattern: e.g., [^\n]+?

After testing various cases, an appropriate rewrite would be:

^#\s+(modified|new file|deleted|renamed|copied|type change):\s+(?<file1>[^\n]*?)(?:\s+->\s+(?<file2>[^\n]*))*$

Or, if '->' can truly never appear in the filename, and separators are ' -> ', then:

^#\s+(modified|new file|deleted|renamed|copied|type change):\s+(?<file1>[^-][^>\n]*?)(?:\s+->\s+(?<file2>[^-][^>\n]*))*$

But to keep things simpler and retain as much previous behavior as possible, [^\n]*? is safe and avoids backtracking.

Edit line 70 in gitEditor.ts to use the updated regex.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@Git-Hub-Chris @github-advanced-security
Potential fix for code scanning alert no. 60: Inefficient regular exp…
e0a3ead 
…ression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 16, 2025
View reviewed changes
@Git-Hub-Chris Git-Hub-Chris marked this pull request as ready for review October 4, 2025 01:46
@Git-Hub-Chris Git-Hub-Chris merged commit 1bd709e into Main Oct 4, 2025
11 checks passed
@Git-Hub-Chris Git-Hub-Chris deleted the alert-autofix-60 branch October 4, 2025 01:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Git-Hub-Chris