Skip to content

fix(profile): avoid regex frontmatter field parsing#3853

Merged
RSO merged 1 commit into
mainfrom
fix/codeql-profile-skill-frontmatter-redos
Jun 9, 2026
Merged

fix(profile): avoid regex frontmatter field parsing#3853
RSO merged 1 commit into
mainfrom
fix/codeql-profile-skill-frontmatter-redos

Conversation

@kilo-code-bot

@kilo-code-bot kilo-code-bot Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replaces multiline regex field extraction for skill frontmatter with bounded line-by-line parsing to avoid polynomial ReDoS on uncontrolled markdown.
  • Adds focused coverage for normal frontmatter extraction and long non-matching frontmatter lines.

Verification

N/A (backend-only parser change).

Visual Changes

N/A

Reviewer Notes

Targets CodeQL alert 426 only: https://github.com/Kilo-Org/cloud/security/code-scanning/426

@kilo-code-bot kilo-code-bot Bot requested a review from RSO June 9, 2026 09:36
@kilo-code-bot

kilo-code-bot Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

The ReDoS fix correctly replaces two polynomial-backtracking multiline regexes with a bounded, linear line-by-line parser; logic is sound and test coverage is appropriate.

Files Reviewed (2 files)
  • packages/cloud-agent-profile/src/profile-skills-service.ts
  • packages/cloud-agent-profile/src/profile-skills-service.test.ts

Fix these issues in Kilo Cloud

Reviewed by claude-4.6-sonnet-20260217 · 330,873 tokens

Review guidance: REVIEW.md from base branch main

RSO
RSO approved these changes Jun 9, 2026
View reviewed changes

@RSO RSO left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CC @eshurakov because this one feels like it has a little more meat to it then the other one-line changes

@RSO RSO merged commit 4ddfd0c into main Jun 9, 2026
55 checks passed
@RSO RSO deleted the fix/codeql-profile-skill-frontmatter-redos branch June 9, 2026 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eshurakov eshurakov eshurakov approved these changes

@RSO RSO RSO approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eshurakov @RSO