Add ReDoS protection for regex matching. (#4124)

Tyme-Bleyaert · web-flow · commit 9f9b2da3691b · 2025-09-09T22:45:53.000+02:00
Add some minor nit fixes.
diff --git a/examples/Demo/Shared/Microsoft.FluentUI.AspNetCore.Components.xml b/examples/Demo/Shared/Microsoft.FluentUI.AspNetCore.Components.xml
@@ -5302,9 +5302,6 @@
         <member name="P:Microsoft.FluentUI.AspNetCore.Components.FluentInputFile.Module">
             <summary />
         </member>
-        <member name="P:Microsoft.FluentUI.AspNetCore.Components.FluentInputFile.DropOver">
-            <summary />
-        </member>
         <member name="P:Microsoft.FluentUI.AspNetCore.Components.FluentInputFile.ClassValue">
             <summary />
         </member>
@@ -10308,6 +10305,11 @@
             Gets the default tooltip options.
             </summary>
         </member>
+        <member name="P:Microsoft.FluentUI.AspNetCore.Components.FluentTooltip.AriaLabel">
+            <summary>
+            Gets or sets the text used on aria-label attribute.
+            </summary>
+        </member>
         <member name="P:Microsoft.FluentUI.AspNetCore.Components.FluentTooltip.HideTooltipOnCursorLeave">
             <summary>
             Gets or sets the value indicating whether the library should close the tooltip if the cursor leaves the anchor and the tooltip.
@@ -15901,12 +15903,6 @@
         <member name="T:System.Text.RegularExpressions.Generated.Utilities">
             <summary>Helper methods used by generated <see cref="T:System.Text.RegularExpressions.Regex"/>-derived implementations.</summary>
         </member>
-        <member name="F:System.Text.RegularExpressions.Generated.Utilities.s_defaultTimeout">
-            <summary>Default timeout value set in <see cref="T:System.AppContext"/>, or <see cref="F:System.Text.RegularExpressions.Regex.InfiniteMatchTimeout"/> if none was set.</summary>
-        </member>
-        <member name="F:System.Text.RegularExpressions.Generated.Utilities.s_hasTimeout">
-            <summary>Whether <see cref="F:System.Text.RegularExpressions.Generated.Utilities.s_defaultTimeout"/> is non-infinite.</summary>
-        </member>
         <member name="F:System.Text.RegularExpressions.Generated.Utilities.s_ascii_20FF03FEFFFF87FEFFFF07">
             <summary>Supports searching for characters in or not in "-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".</summary>
         </member>
diff --git a/src/Core/Components/Accordion/FluentAccordion.razor.cs b/src/Core/Components/Accordion/FluentAccordion.razor.cs
@@ -53,12 +53,12 @@ private async Task HandleOnAccordionChangedAsync(AccordionChangeEventArgs args)
     {
         if (args is not null)
         {
-            var Id = args.ActiveId;
-            if (Id is not null && items.TryGetValue(Id!, out FluentAccordionItem? item))
+            var id = args.ActiveId;
+            if (id is not null && items.TryGetValue(id!, out FluentAccordionItem? item))
             {
                 item.Expanded = args.Expanded;
                 await OnAccordionItemChange.InvokeAsync(item);
-                await ActiveIdChanged.InvokeAsync(Id);
+                await ActiveIdChanged.InvokeAsync(id);
             }
         }
     }
diff --git a/src/Core/Components/DataGrid/Columns/ColumnBase.razor.cs b/src/Core/Components/DataGrid/Columns/ColumnBase.razor.cs
@@ -269,7 +269,7 @@ protected void HandleKeyDown(FluentKeyCodeEventArgs e)
     /// <summary>
     /// Constructs an instance of <see cref="ColumnBase{TGridItem}" />.
     /// </summary>
-    public ColumnBase()
+    protected ColumnBase()
     {
         HeaderContent = RenderDefaultHeaderContent;
         HeaderTitleContent = RenderDefaultHeaderTitle;
diff --git a/src/Core/Components/Emojis/Emoji.cs b/src/Core/Components/Emojis/Emoji.cs
@@ -17,7 +17,7 @@ public class Emoji : EmojiInfo
     /// Please use the constructor including parameters.
     /// </summary>
     /// <exception cref="ArgumentNullException"></exception>
-    public Emoji() : this(string.Empty, EmojiSize.Size16, EmojiGroup.Flags, EmojiSkintone.Default, EmojiStyle.Flat, new byte[] { })
+    public Emoji() : this(string.Empty, EmojiSize.Size16, EmojiGroup.Flags, EmojiSkintone.Default, EmojiStyle.Flat, Array.Empty<byte>())
     {
         throw new ArgumentNullException("Please use the constructor including parameters.");
     }
diff --git a/src/Core/Components/InputFile/FluentInputFile.razor.cs b/src/Core/Components/InputFile/FluentInputFile.razor.cs
@@ -41,9 +41,6 @@ public FluentInputFile()
     /// <summary />
     private IJSObjectReference? Module { get; set; }
 
-    /// <summary />
-    private bool DropOver { get; set; } = false;
-
     /// <summary />
     protected string? ClassValue => new CssBuilder(Class)
         .AddClass("fluent-inputfile-container")
diff --git a/src/Core/Components/List/ListComponentBase.razor.cs b/src/Core/Components/List/ListComponentBase.razor.cs
@@ -206,7 +206,7 @@ protected string? InternalValue
     public Expression<Func<IEnumerable<TOption>>>? SelectedOptionsExpression { get; set; }
 
     /// <summary />
-    public ListComponentBase()
+    protected ListComponentBase()
     {
         _internalListContext = new(this);
 
diff --git a/src/Core/Components/Overlay/FluentOverlay.razor.cs b/src/Core/Components/Overlay/FluentOverlay.razor.cs
@@ -305,6 +305,6 @@ private async Task InvokeOverlayDisposeAsync()
         }
     }
 
-    [GeneratedRegex("^(?:#(?:[a-fA-F0-9]{6}|[a-fA-F0-9]{3}))")]
+    [GeneratedRegex("^(?:#(?:[a-fA-F0-9]{6}|[a-fA-F0-9]{3}))", RegexOptions.None, matchTimeoutMilliseconds: 1000)] //Add timeout to prevent ReDoS
     private static partial Regex CheckRGBString();
 }
diff --git a/src/Core/Components/Tooltip/FluentTooltip.razor.cs b/src/Core/Components/Tooltip/FluentTooltip.razor.cs
@@ -43,7 +43,6 @@ public partial class FluentTooltip : FluentComponentBase, IDisposable
     /// </summary>
     protected virtual TooltipGlobalOptions? GlobalOptions => TooltipService?.GlobalOptions;
 
-
     /// <summary>
     /// Gets or sets the text used on aria-label attribute.
     /// </summary>
diff --git a/src/Core/Components/TreeView/FluentTreeItem.razor.cs b/src/Core/Components/TreeView/FluentTreeItem.razor.cs
@@ -210,21 +210,22 @@ internal static RenderFragment GetFluentTreeItem(FluentTreeView owner, ITreeView
     {
         RenderFragment fluentTreeItem = builder =>
         {
-            int i = 0;
-            builder.OpenComponent<FluentTreeItem>(i++);
-            builder.AddAttribute(i++, "Id", item.Id);
-            builder.AddAttribute(i++, "Items", item.Items);
-            builder.AddAttribute(i++, "Text", item.Text);
-            builder.AddAttribute(i++, "InitiallySelected", owner.SelectedItem == item);
-            builder.AddAttribute(i++, "Expanded", item.Expanded);
-            builder.AddAttribute(i++, "Disabled", item.Disabled);
-            builder.AddAttribute(i++, "IconCollapsed", item.IconCollapsed);
-            builder.AddAttribute(i++, "IconExpanded", item.IconExpanded);
+            //Don't use calculation or counter for building sequence numbers
+            //See: https://learn.microsoft.com/en-us/aspnet/core/blazor/advanced-scenarios?view=aspnetcore-9.0&utm_source=chatgpt.com#manually-build-a-render-tree-rendertreebuilder
+            builder.OpenComponent<FluentTreeItem>(0);
+            builder.AddAttribute(1, "Id", item.Id);
+            builder.AddAttribute(2, "Items", item.Items);
+            builder.AddAttribute(3, "Text", item.Text);
+            builder.AddAttribute(4, "InitiallySelected", owner.SelectedItem == item);
+            builder.AddAttribute(5, "Expanded", item.Expanded);
+            builder.AddAttribute(6, "Disabled", item.Disabled);
+            builder.AddAttribute(7, "IconCollapsed", item.IconCollapsed);
+            builder.AddAttribute(8, "IconExpanded", item.IconExpanded);
             builder.SetKey(item.Id);
 
             if (owner.ItemTemplate != null)
             {
-                builder.AddAttribute(i++, "ChildContent", owner.ItemTemplate(item));
+                builder.AddAttribute(9, "ChildContent", owner.ItemTemplate(item));
             }
 
             builder.CloseComponent();
diff --git a/src/Core/Components/Wizard/FluentWizard.razor.cs b/src/Core/Components/Wizard/FluentWizard.razor.cs
@@ -238,7 +238,7 @@ protected virtual async Task<FluentWizardStepChangeEventArgs> OnStepChangeHandle
     /// <summary />
     protected virtual async Task OnFinishHandlerAsync(MouseEventArgs e)
     {
-        await this.FinishAsync(true);
+        await FinishAsync(true);
     }
 
     /// <summary>
@@ -332,10 +332,6 @@ private void SetCurrentStatusToStep(int stepIndex)
                 {
                     _steps[i].Status = WizardStepStatus.Current;
                 }
-                else if (i > stepIndex)
-                {
-                    _steps[i].Status = WizardStepStatus.Next;
-                }
                 else
                 {
                     _steps[i].Status = WizardStepStatus.Next;
diff --git a/src/Core/Infrastructure/StaticAssetServiceConfiguration.cs b/src/Core/Infrastructure/StaticAssetServiceConfiguration.cs
diff --git a/src/Core/Utilities/CssBuilder.cs b/src/Core/Utilities/CssBuilder.cs
@@ -123,6 +123,6 @@ private IEnumerable<string> SplitAndValidate(string input)
     /// Generates the regex used to validate CSS class names.
     /// </summary>
     /// <returns>A compiled regex for validating CSS class names</returns>
-    [GeneratedRegex(@"^-?[_a-zA-Z]+[_a-zA-Z0-9-]*$", RegexOptions.Compiled)]
+    [GeneratedRegex(@"^-?[_a-zA-Z]+[_a-zA-Z0-9-]*$", RegexOptions.Compiled, matchTimeoutMilliseconds: 1000)] //Add timeout to prevent ReDoS
     private static partial Regex GenerateValidClassNameRegex();
 }
diff --git a/src/Core/Utilities/Splitter.cs b/src/Core/Utilities/Splitter.cs
@@ -86,7 +86,8 @@ internal static Memory<string> GetFragments(
         builder.Clear();
         _stringBuilderCached = builder;
 
-        var splits = Regex.Split(text, regex, caseSensitive ? RegexOptions.None : RegexOptions.IgnoreCase);
+        //Add timeout to prevent ReDoS
+        var splits = Regex.Split(text, regex, caseSensitive ? RegexOptions.None : RegexOptions.IgnoreCase, TimeSpan.FromSeconds(1));
 
         var length = 0;
         for (var i = 0; i < splits.Length; i++)

Original file line number	Diff line number	Diff line change
`@@ -53,12 +53,12 @@ private async Task HandleOnAccordionChangedAsync(AccordionChangeEventArgs args)`
`53`	`53`	`{`
`54`	`54`	`if (args is not null)`
`55`	`55`	`{`
`56`		`- var Id = args.ActiveId;`
`57`		`- if (Id is not null && items.TryGetValue(Id!, out FluentAccordionItem? item))`
	`56`	`+ var id = args.ActiveId;`
	`57`	`+ if (id is not null && items.TryGetValue(id!, out FluentAccordionItem? item))`
`58`	`58`	`{`
`59`	`59`	`item.Expanded = args.Expanded;`
`60`	`60`	`await OnAccordionItemChange.InvokeAsync(item);`
`61`		`- await ActiveIdChanged.InvokeAsync(Id);`
	`61`	`+ await ActiveIdChanged.InvokeAsync(id);`
`62`	`62`	`}`
`63`	`63`	`}`
`64`	`64`	`}`
Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,7 @@ protected void HandleKeyDown(FluentKeyCodeEventArgs e)`
`269`	`269`	`/// <summary>`
`270`	`270`	`/// Constructs an instance of <see cref="ColumnBase{TGridItem}" />.`
`271`	`271`	`/// </summary>`
`272`		`- public ColumnBase()`
	`272`	`+ protected ColumnBase()`
`273`	`273`	`{`
`274`	`274`	`HeaderContent = RenderDefaultHeaderContent;`
`275`	`275`	`HeaderTitleContent = RenderDefaultHeaderTitle;`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ public class Emoji : EmojiInfo`
`17`	`17`	`/// Please use the constructor including parameters.`
`18`	`18`	`/// </summary>`
`19`	`19`	`/// <exception cref="ArgumentNullException"></exception>`
`20`		`- public Emoji() : this(string.Empty, EmojiSize.Size16, EmojiGroup.Flags, EmojiSkintone.Default, EmojiStyle.Flat, new byte[] { })`
	`20`	`+ public Emoji() : this(string.Empty, EmojiSize.Size16, EmojiGroup.Flags, EmojiSkintone.Default, EmojiStyle.Flat, Array.Empty<byte>())`
`21`	`21`	`{`
`22`	`22`	`throw new ArgumentNullException("Please use the constructor including parameters.");`
`23`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -206,7 +206,7 @@ protected string? InternalValue`
`206`	`206`	`public Expression<Func<IEnumerable<TOption>>>? SelectedOptionsExpression { get; set; }`
`207`	`207`
`208`	`208`	`/// <summary />`
`209`		`- public ListComponentBase()`
	`209`	`+ protected ListComponentBase()`
`210`	`210`	`{`
`211`	`211`	`_internalListContext = new(this);`
`212`	`212`
Original file line number	Diff line number	Diff line change
`@@ -305,6 +305,6 @@ private async Task InvokeOverlayDisposeAsync()`
`305`	`305`	`}`
`306`	`306`	`}`
`307`	`307`
`308`		`- [GeneratedRegex("^(?:#(?:[a-fA-F0-9]{6}\|[a-fA-F0-9]{3}))")]`
	`308`	`+ [GeneratedRegex("^(?:#(?:[a-fA-F0-9]{6}\|[a-fA-F0-9]{3}))", RegexOptions.None, matchTimeoutMilliseconds: 1000)] //Add timeout to prevent ReDoS`
`309`	`309`	`private static partial Regex CheckRGBString();`
`310`	`310`	`}`
Original file line number	Diff line number	Diff line change
`@@ -238,7 +238,7 @@ protected virtual async Task<FluentWizardStepChangeEventArgs> OnStepChangeHandle`
`238`	`238`	`/// <summary />`
`239`	`239`	`protected virtual async Task OnFinishHandlerAsync(MouseEventArgs e)`
`240`	`240`	`{`
`241`		`- await this.FinishAsync(true);`
	`241`	`+ await FinishAsync(true);`
`242`	`242`	`}`
`243`	`243`
`244`	`244`	`/// <summary>`
`@@ -332,10 +332,6 @@ private void SetCurrentStatusToStep(int stepIndex)`
`332`	`332`	`{`
`333`	`333`	`_steps[i].Status = WizardStepStatus.Current;`
`334`	`334`	`}`
`335`		`- else if (i > stepIndex)`
`336`		`- {`
`337`		`- _steps[i].Status = WizardStepStatus.Next;`
`338`		`- }`
`339`	`335`	`else`
`340`	`336`	`{`
`341`	`337`	`_steps[i].Status = WizardStepStatus.Next;`