bito-code-review[bot] commented on PR #40622:
URL: https://github.com/apache/superset/pull/40622#issuecomment-4617814297
<!-- Bito Reply -->
The regular expression `replace(/^[�- ]+|[�- ]+$/g, '')` is used to strip
leading and trailing whitespace and C0 control characters from the URL before
processing. While this regex is generally efficient for typical URL strings,
CodeQL flags it because, in some environments, complex regex patterns can be
susceptible to catastrophic backtracking when processing maliciously crafted,
extremely long strings containing many repetitions of specific characters like
`\u0000`.
In this specific implementation, the regex is anchored to the start and end
of the string and uses simple character classes, which significantly limits the
risk of backtracking. Given that this function processes individual link URIs,
the performance impact is expected to be negligible in practice.
**superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown/SafeMarkdown.tsx**
```
// eslint-disable-next-line no-control-regex
const url = (uri || '').replace(/^[�- ]+|[�- ]+$/g, '');
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
