From b2950a58e640a5c55d7e8bbbf2e8bf7194fa91eb Mon Sep 17 00:00:00 2001 From: tomaioo Date: Thu, 23 Apr 2026 23:22:21 -0700 Subject: [PATCH 1/4] fix(security): 2 improvements across 2 files - Security: Regular expression injection / ReDoS risk from unescaped search input - Security: Regex construction from unescaped characters in ObjectKey renderer Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/application/components/HighlightMatch.tsx | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/src/application/components/HighlightMatch.tsx b/src/application/components/HighlightMatch.tsx index d32e3a554..787f3d05a 100644 --- a/src/application/components/HighlightMatch.tsx +++ b/src/application/components/HighlightMatch.tsx @@ -4,7 +4,20 @@ interface HighlightMatchProps { } const HighlightMatch = ({ searchTerm, value }: HighlightMatchProps) => { - const regex = new RegExp(searchTerm, "i"); + if (!searchTerm) { + return <>{value}; + } + + const escapedSearchTerm = searchTerm.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); + + let regex: RegExp; + + try { + regex = new RegExp(escapedSearchTerm, "i"); + } catch { + return <>{value}; + } + const match = regex.exec(value); if (!match) { @@ -17,7 +30,7 @@ const HighlightMatch = ({ searchTerm, value }: HighlightMatchProps) => { {match[0]} - {value.slice(match.index + searchTerm.length)} + {value.slice(match.index + match[0].length)} ); }; From c10b16d01bee7e26ea338459cfb84aca0af2455e Mon Sep 17 00:00:00 2001 From: tomaioo Date: Thu, 23 Apr 2026 23:22:22 -0700 Subject: [PATCH 2/4] fix(security): 2 improvements across 2 files - Security: Regular expression injection / ReDoS risk from unescaped search input - Security: Regex construction from unescaped characters in ObjectKey renderer Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/application/components/ObjectViewer/ObjectKey.tsx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/application/components/ObjectViewer/ObjectKey.tsx b/src/application/components/ObjectViewer/ObjectKey.tsx index b6fb540a4..63f5fe3ac 100644 --- a/src/application/components/ObjectViewer/ObjectKey.tsx +++ b/src/application/components/ObjectViewer/ObjectKey.tsx @@ -14,7 +14,13 @@ export const ObjectKey = customRenderable( ({ className, value, softWrapCharacters }: ObjectKeyProps) => { const uniqueChars = new Set(softWrapCharacters); const regex = softWrapCharacters - ? new RegExp(`(${softWrapCharacters.join("|")})`) + ? new RegExp( + `(${softWrapCharacters + .map((character) => + character.replace(/[.*+?^${}()|[\]\\]/g, "\\$&") + ) + .join("|")})` + ) : null; return ( From dd0f3b628cc6dd7f55dfbbc2e11a0b5c730967b1 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Fri, 24 Apr 2026 17:21:50 -0700 Subject: [PATCH 3/4] =?UTF-8?q?fix:=20address=20review=20feedback=20?= =?UTF-8?q?=E2=80=94=20I'd=20love=20to=20use=20[`RegExp.escape`](https://d?= =?UTF-8?q?eveloper.mozilla.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/application/components/ObjectViewer/ObjectKey.tsx | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/application/components/ObjectViewer/ObjectKey.tsx b/src/application/components/ObjectViewer/ObjectKey.tsx index 63f5fe3ac..b850dd192 100644 --- a/src/application/components/ObjectViewer/ObjectKey.tsx +++ b/src/application/components/ObjectViewer/ObjectKey.tsx @@ -15,11 +15,7 @@ export const ObjectKey = customRenderable( const uniqueChars = new Set(softWrapCharacters); const regex = softWrapCharacters ? new RegExp( - `(${softWrapCharacters - .map((character) => - character.replace(/[.*+?^${}()|[\]\\]/g, "\\$&") - ) - .join("|")})` + `(${softWrapCharacters.map((character) => RegExp.escape(character)).join("|")})` ) : null; @@ -41,4 +37,4 @@ export const ObjectKey = customRenderable( ...props, value: parentProps.value, }) -); +); \ No newline at end of file From b153f32bbc453e70f273fdf2fa1a6594f481641f Mon Sep 17 00:00:00 2001 From: tomaioo Date: Fri, 24 Apr 2026 17:21:56 -0700 Subject: [PATCH 4/4] =?UTF-8?q?fix:=20address=20review=20feedback=20?= =?UTF-8?q?=E2=80=94=20```suggestion=20=20=20const=20escapedSearchTerm=20?= =?UTF-8?q?=3D=20RegExp.escape(sear?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/application/components/HighlightMatch.tsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/application/components/HighlightMatch.tsx b/src/application/components/HighlightMatch.tsx index 787f3d05a..4b1aedede 100644 --- a/src/application/components/HighlightMatch.tsx +++ b/src/application/components/HighlightMatch.tsx @@ -8,7 +8,7 @@ const HighlightMatch = ({ searchTerm, value }: HighlightMatchProps) => { return <>{value}; } - const escapedSearchTerm = searchTerm.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); + const escapedSearchTerm = RegExp.escape(searchTerm); let regex: RegExp; @@ -35,4 +35,4 @@ const HighlightMatch = ({ searchTerm, value }: HighlightMatchProps) => { ); }; -export default HighlightMatch; +export default HighlightMatch; \ No newline at end of file