wernerdv commented on issue #12316: URL: https://github.com/apache/ignite/issues/12316#issuecomment-4531739926
@jpsla94 Hello. "Sonatype-2022-5219" looks false positive after [IGNITE-12687](https://github.com/apache/ignite/commit/8534e5a9751ec44b538a84009a55d78481063573#diff-2eef0b17308f1801dd8a75da262a24debdb271591d1976385c204f30b2db0556) Before this commit, `translateSqlWildcardsToRegex` used these three simple regexes: ``` toRegex = toRegex.replaceAll("([^\\\\])%", "$1.*"); toRegex = toRegex.replaceAll("([^\\\\])_", "$1."); toRegex = toRegex.replaceAll("\\\\(.)", "$1"); ``` These are the patterns a ReDoS scanner would flag: `([^\\])%` and `([^\\])_` can exhibit catastrophic backtracking on certain crafted inputs. The fix replaced them with four hardened patterns: ``` toRegex = toRegex.replaceAll("([\\[\\]{}()*+?.\\\\\\\\^$|])", "\\\\$1"); [L1] toRegex = toRegex.replaceAll("([^\\\\\\\\])((?:\\\\\\\\\\\\\\\\)*)%", "$1$2.*"); [L2] toRegex = toRegex.replaceAll("([^\\\\\\\\])((?:\\\\\\\\\\\\\\\\)*)_", "$1$2."); [L3] toRegex = toRegex.replaceAll("([^\\\\\\\\])(\\\\\\\\(?>\\\\\\\\\\\\\\\\)*\\\\\\\\)*\\\\\\\\([_|%])", "$1$2$3"); [L4] ``` The critical defenses in the new patterns are: Lines 2–3 — `((?:\\\\\\\\)*)` in the actual regex is `((?:\\\\)*)`, which matches zero or more fixed-length pairs of backslashes. Because each iteration consumes exactly 2 characters, there is no ambiguity and no exponential backtracking. Line 4 — uses `(?>...)`, a Java atomic group. Atomic groups discard saved backtracking positions once matched, which is the standard technique for eliminating ReDoS in nested quantifier patterns. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
