fix(security): remove ReDoS-prone regex in extractCidPath (CodeQL high)#315
Merged
Conversation
extractCidPath ran `s.match(/\/ipfs\/(.+)$/i)` on caller-supplied strings
(anchor URLs, CIDs). As a search-anywhere pattern it retries `/ipfs/` at many
start positions with a backtracking `.+$`, which CodeQL flags as polynomial
ReDoS on hostile inputs like "/ipfs/a/ipfs/a/ipfs/a…".
Replace it with a linear `indexOf("/ipfs/")` + `slice`, preserving the exact
behavior (everything after the first "/ipfs/" segment that has content,
case-insensitive). Add an extractCidPath test covering the equivalence cases
plus a hostile-input case that must terminate quickly.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the high-severity CodeQL alert ("Polynomial regular expression used on uncontrolled data") flagged on the release PR #303, in
src/lib/ipfs.ts.The issue
extractCidPath()parses caller-supplied strings (IPFS anchor URLs, CIDs) and ran:As a search-anywhere pattern, the engine retries the
/ipfs/literal at many start positions, each followed by a backtracking.+$. On hostile input like/ipfs/a/ipfs/a/ipfs/a…this is O(n²) polynomial work — a denial-of-service vector, sinceextractCidPathruns on user-controlled anchor values (e.g. in/api/ipfs/resolve).The fix
Replace the regex with a linear
indexOf("/ipfs/")+slice, preserving the exact behavior: take everything after the first/ipfs/segment that has content, case-insensitive. No backtracking → linear time.Added
src/__tests__/ipfs.test.tscovering the equivalence cases (bare CID,ipfs://, gateway URLs with path, case-insensitive marker, query/hash stripping, traversal/short rejection) and a hostile repeated-/ipfs/input that must terminate in <1s.Verify
tscclean ·jest369 passed (+7 new) · lint clean.Merging into
preprodclears the alert on the release PR #303.🤖 Generated with Claude Code