fix(rrweb-snapshot): rewrite vulnerable regexes flagged by CodeQL#289
Merged
fix(rrweb-snapshot): rewrite vulnerable regexes flagged by CodeQL#289
Conversation
There was a problem hiding this comment.
Pull request overview
Hardens rrweb-snapshot against CodeQL-flagged regex performance issues by rewriting a selector comment-stripping regex to avoid catastrophic backtracking and simplifying a whitespace-only text-node check using native trim().
Changes:
- Rewrites selector comment stripping in the CSS parser to a linear-time lazy match to prevent ReDoS scenarios.
- Replaces a multiline whitespace-trimming regex with
.trim()for whitespace-only text node detection. - Adds unit tests covering selector comment stripping behavior and a regression guard for unterminated comment inputs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| packages/rrweb-snapshot/src/css.ts | Replaces the vulnerable selector comment-stripping regex with a linear-time alternative. |
| packages/rrweb-snapshot/src/snapshot.ts | Uses native .trim() for whitespace-only text-node detection (replacing regex-based trimming). |
| packages/rrweb-snapshot/test/css.test.ts | Adds tests for selector comment stripping and a regression test to prevent catastrophic backtracking. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
chargome
approved these changes
Apr 28, 2026
Three regex issues: 1. css.ts:445 (CodeQL #5, #6) — the comment-stripping regex used in selector parsing had nested `*` quantifiers over alternatives that could match the same characters, causing exponential backtracking on inputs like `/*` followed by many `\n*` with no closing `*/`. Rewritten as a lazy match (`/\/\*[\s\S]*?\*\/+/g`), which is linear-time and produces identical output for all well-formed comments. Adds a regression test that hangs the old regex. 2. snapshot.ts:1348 (CodeQL #4) — flagged for polynomial-time whitespace trimming via `replace(/^\s+|\s+$/gm, '')`. Replaced with `trim()`, which has the same observable behavior for the length-zero check the call site does and is implemented natively. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
logaretm
force-pushed
the
awad/sdk-1099-codeql-regex-fixes
branch
from
d07cd5d to
9ded3a2
Compare
logaretm
added a commit
to getsentry/sentry-javascript
that referenced
this pull request
May 8, 2026
Bumps all rrweb dependencies in tests and internal packages to the latest versions. The changelog for these new releases is: - [(rrweb-snapshot) Rewrite vulnerable regexes](getsentry/rrweb#289) - [Use CSS Declaration replaceSync to parse styles to avoid CSP violations](getsentry/rrweb#286) - [Wrap iframe contentWindow access in try-catch](getsentry/rrweb#275) Full changelog can be [found here](https://github.com/getsentry/rrweb/releases/tag/2.42.0).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rewrites two regexes flagged by CodeQL: the CSS-comment-stripping regex in css.ts (CodeQL alerts 5 and 6) had nested quantifiers causing exponential backtracking on unterminated comments, and the whitespace-trim regex in snapshot.ts (CodeQL alert 4) was polynomial.
Both replacements are observably identical for well-formed input; the new comment regex additionally strips two malformed-but-valid comment shapes (
/***/,/**foo**/) that the old one left unchanged.