From 0cd6678f1bdeb6547fea1f8b4fcb17e4ce73d623 Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Sat, 11 Apr 2026 01:17:30 +0700
Subject: [PATCH] fix(security): stateful global regex used for url validation
 can

`validateGitlabUrl` uses a regex with the global (`/g`) flag and calls `.test()`. In JavaScript, `.test()` with `/g` mutates internal `lastIndex`, causing repeated validations on the same input to alternate unpredictably. This can lead to false negatives/positives and weaken any security decisions based on this validator.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 webapp/src/utils/tooltip_utils.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webapp/src/utils/tooltip_utils.ts b/webapp/src/utils/tooltip_utils.ts
index 013ead9ef..68e29a048 100644
--- a/webapp/src/utils/tooltip_utils.ts
+++ b/webapp/src/utils/tooltip_utils.ts
@@ -2,7 +2,7 @@
 // See LICENSE.txt for license information.
 
 // Regex to match if a URl is valid merge request of issue URL
-const gitlabRegexPattern = /https?:\/\/(www\.)?.*\/([\w.?-]+)\/([\w-]+)\/-\/([\w-]+)\/([\d-]+$)/g;
+const gitlabRegexPattern = /https?:\/\/(www\.)?.*\/([\w.?-]+)\/([\w-]+)\/-\/([\w-]+)\/([\d-]+$)/;
 
 export const validateGitlabUrl = (url: string): boolean => {
     return gitlabRegexPattern.test(url);