Skip to content

[hertzbeat-common]feature: Extracting groups from strings using regul…#3997

Closed
pj001 wants to merge 4 commits intoapache:masterfrom
pj001:a-feature-branch
Closed

[hertzbeat-common]feature: Extracting groups from strings using regul…#3997
pj001 wants to merge 4 commits intoapache:masterfrom
pj001:a-feature-branch

Conversation

@pj001
Copy link
Copy Markdown

@pj001 pj001 commented Jan 21, 2026
edited
Loading

What's changed?

Extracting groups from strings using regular expressions

Checklist

  • [√] I have read the Contributing Guide
  • [√] I have written the necessary doc or comment.
  • [√ ] I have added the necessary unit tests and all cases have passed.

Add or update API

  • I have added the necessary e2e tests and all cases have passed.

Duansg
Duansg requested changes Jan 21, 2026
View reviewed changes
hertzbeat-common/src/main/java/org/apache/hertzbeat/common/util/JexlCommonFunction.java
return null;
}
try {
Matcher matcher = Pattern.compile(regex).matcher(str);
Copy link
Copy Markdown
Member

@Duansg Duansg Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prevent ReDoS attacks here !

Duansg
Duansg requested changes Jan 21, 2026
View reviewed changes
hertzbeat-common/src/main/java/org/apache/hertzbeat/common/util/JexlCommonFunction.java
}
try {
Matcher matcher = Pattern.compile(regex).matcher(str);
if (matcher.find() && groupIndex <= matcher.groupCount()) {
Copy link
Copy Markdown
Member

@Duansg Duansg Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

incomplete boundary checks

hertzbeat-common/src/main/java/org/apache/hertzbeat/common/util/JexlCommonFunction.java
return matcher.group(groupIndex);
}
} catch (Exception e) {
// Return null when regular expression is incorrect
Copy link
Copy Markdown
Member

@Duansg Duansg Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

silent exception?

@Duansg
Copy link
Copy Markdown
Member

Duansg commented Jan 21, 2026

@tomsun28 @zqr10159 Could you take a look at this? Do we need to support regular expressions? 😥

@zqr10159
Copy link
Copy Markdown
Member

zqr10159 commented Jan 21, 2026

Sorry, we need to decline this PR.
Reason: Your implementation appears insecure, and it's not part of our current plans.
We'll consider a more secure approach in the future.

@zqr10159 zqr10159 closed this Jan 21, 2026
@pj001 pj001 deleted the a-feature-branch branch January 22, 2026 02:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Duansg Duansg Duansg requested changes

Assignees

No one assigned

Labels

backend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pj001 @Duansg @zqr10159