Security: Polynomial Regular Expression (ReDoS)
Source: GitHub Code Scanning alerts #6 and #7
Description
The email validation regex /^[^\s@]+@[^\s@]+\.[^\s@]+$/ used in two locations has overlapping character classes that cause polynomial (O(n^2)) backtracking on crafted input.
Affected Locations
core/events/Event.js:153 — _validateAttendees() (constructor path)core/events/Event.js:923 — _isValidEmail() method
Attack Vector
Input like "user@" + "a".repeat(50) (no dot after @) forces the regex engine to try all possible splits between the second and third [^\s@]+ groups before failing. This creates O(n^2) backtracking that can hang the event loop.
Exploitable via:
- ICS import with crafted attendee email
- Direct API call to Event constructor with malicious attendee data
Fix
Replace with a non-backtracking pattern. The overlap is between [^\s@]+ before the . and [^\s@]+ after it — both can match the same characters.
// Option 1: Prevent overlap by excluding dot from middle group
const emailRegex = /^[^\s@]+@[^\s@.]+\.[^\s@]+$/;
// Option 2: Simpler pattern (sufficient for basic validation)
const emailRegex = /^[^\s@]+@[^\s@]+$/;
Related
Security: Polynomial Regular Expression (ReDoS)
Source: GitHub Code Scanning alerts #6 and #7
Description
The email validation regex
/^[^\s@]+@[^\s@]+\.[^\s@]+$/used in two locations has overlapping character classes that cause polynomial (O(n^2)) backtracking on crafted input.Affected Locations
core/events/Event.js:153—_validateAttendees()(constructor path)core/events/Event.js:923—_isValidEmail()methodAttack Vector
Input like
"user@" + "a".repeat(50)(no dot after@) forces the regex engine to try all possible splits between the second and third[^\s@]+groups before failing. This creates O(n^2) backtracking that can hang the event loop.Exploitable via:
Fix
Replace with a non-backtracking pattern. The overlap is between
[^\s@]+before the.and[^\s@]+after it — both can match the same characters.Related