Skip to content

Enhances Regex Analysis and Symfony Integration #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yoeunes merged 4 commits into from
Dec 3, 2025
Merged

Enhances Regex Analysis and Symfony Integration #69

yoeunes merged 4 commits into from
Dec 3, 2025

Conversation

@yoeunes
Copy link
Owner

@yoeunes yoeunes commented Dec 3, 2025

Description

This pull request significantly enhances regex analysis capabilities by introducing character set boundary awareness for improved ReDoS detection and allowing specific patterns to be ignored from analysis. It also extends the scope of regex validation to Symfony Validator constraints and upgrades Symfony dependencies to version 8.0.

Key changes include:

  • Refined ReDoS Analysis: Implements character set boundary analysis to more accurately identify potential catastrophic backtracking, reducing false positives.
  • Pattern Ignoring: Adds a configurable list of regex patterns that the analyzers should ignore, useful for well-known safe patterns like Symfony requirement constants.
  • Symfony Validator Integration: Introduces a new analyzer (ValidatorRegexAnalyzer) to detect issues within Symfony\Component\Validator\Constraints\Regex constraints, integrating this analysis into the cache warmer and console command.
  • Improved Issue Reporting: Consolidates issue reporting into a new AnalysisIssue class and includes the problematic pattern in warning/error messages for better context.
  • Symfony 8.0 Support: Updates Symfony component dependencies to ^8.0.

These improvements lead to more precise regex security and complexity analysis across Symfony applications.

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Related Issue

Fixes #(issue number)

Testing

  • Unit tests added/updated
  • Tests pass locally
  • No new warnings

Checklist

  • My code follows the project style
  • I have run phpstan and phpunit
  • Documentation updated if needed
  • No breaking changes without discussion

@yoeunes
Adds Symfony Validator regex analysis
464d5e2 
Introduces a new analyzer to scan Symfony Validator constraints for regex syntax errors and ReDoS vulnerabilities.

Integrates this analysis into the bundle's cache warmer and console command, providing comprehensive regex validation across routes and validator definitions.

Renames the issue reporting class to `RegexAnalysisIssue` to accommodate generalized findings from various sources.

Updates Symfony dependencies to explicitly support version 8.0.
@yoeunes
Enhances regex analysis issue reporting
bb69f53 
Includes the problematic regex pattern directly in all analysis issues (invalid, ReDoS, and complexity warnings). This provides crucial context for debugging and resolving regex-related problems.

Truncates excessively long patterns in issue messages to maintain readability in logs and console output.

Modernizes the console command definition by adopting the `#[AsCommand]` attribute.
@yoeunes
Introduces pattern ignoring for refined regex analysis
cf15974 
Adds a new configuration option `regex_parser.analysis.ignore_patterns` for Symfony applications. This allows users to specify regex fragments that should be skipped during ReDoS and complexity analysis.

The analysis logic in `RouteRequirementAnalyzer` and `ValidatorRegexAnalyzer` now automatically identifies and ignores common, trivially safe patterns and user-defined patterns. This significantly reduces false positives and noise in reports, ensuring focus on genuinely problematic regexes.

Also renames `RegexAnalysisIssue` to `AnalysisIssue` for a more general and less specific naming. Detailed pattern information is now included in issue messages for improved debugging.
@yoeunes
Enhances ReDoS analysis with character set boundaries
c0c8ccc 
Improves ReDoS detection by introducing `CharSet` and `CharSetAnalyzer` to identify mutually exclusive character sets between adjacent regex elements. This refinement helps prevent false positives for nested unbounded quantifiers when backtracking is naturally avoided.

Refactors ignored patterns for ReDoS analysis into the central `Regex` service, replacing hardcoded Symfony `Requirement` constants in analyzer classes. This provides a more flexible and configurable approach to exclude known safe patterns.
@yoeunes yoeunes merged commit 1f4bf94 into main Dec 3, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yoeunes