Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DNM] Fix CodeQL reported vulnerabilities #2398

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

KipSigei
Copy link
Contributor

@KipSigei KipSigei commented Apr 3, 2023

Changes / Features implemented

Fixes the following Vulnerabilities

Steps taken to verify this change does what is intended

Side effects of implementing this change

Before submitting this PR for review, please make sure you have:

  • Included tests
  • Updated documentation

Closes #

Signed-off-by: Kipchirchir Sigei <arapgodsmack@gmail.com>
Signed-off-by: Kipchirchir Sigei <arapgodsmack@gmail.com>
Signed-off-by: Kipchirchir Sigei <arapgodsmack@gmail.com>
Signed-off-by: Kipchirchir Sigei <arapgodsmack@gmail.com>
new_filename = f"{basename}-{index}{ext}"
# check for an index i.e. dash then number then dot extension
regex = re.compile(r"(.+?)\-(\d+)(\..+)")
match = regex.match(filename)

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data

This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of 'a'.
@@ -962,22 +962,22 @@

# Capture urls within form title
if re.search(
r"^(?:http(s)?:\/\/)?[\w.-]+(?:\.[\w\.-]+)+[\w\-\._~:/?#[\]@!\$&'\(\)\*\+,;=.]+$", # noqa
r"^(?:http(s)?:\/\/)?[\w\-.]+(?:\.[\w\-.]+)+[\w\-.~:/?#[\]@!\$&'()*+,;=]+$", # noqa

Check failure

Code scanning / CodeQL

Inefficient regular expression

This part of the regular expression may cause exponential backtracking on strings starting with '-.' and containing many repetitions of '-.'.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant