Merge pull request #298 from github/codeql-polynomial-regex

CodeQL - Limit polynomial regex to only match 1000 characters at most
github · May 21, 2024 · 2085cce · 2085cce
2 parents 0127026 + dd2af63
commit 2085cce
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/lib/octocatalog-diff/catalog-util/command.rb b/lib/octocatalog-diff/catalog-util/command.rb
@@ -91,7 +91,7 @@ def setup
         facts_terminus = @options.fetch(:facts_terminus, 'yaml')
         if facts_terminus == 'yaml'
           cmdline << "--factpath=#{Shellwords.escape(File.join(@compilation_dir, 'var', 'yaml', 'facts'))}"
-          if @options[:fact_file].is_a?(String) && @options[:fact_file] =~ /.*\.(\w+)$/
+          if @options[:fact_file].is_a?(String) && @options[:fact_file] =~ /.*{1,1000}\.(\w+)$/
             fact_file = File.join(@compilation_dir, 'var', 'yaml', 'facts', "#{@node}.#{Regexp.last_match(1)}")
             FileUtils.cp @options[:fact_file], fact_file unless File.file?(fact_file) || @options[:fact_file] == fact_file
           end

diff --git a/spec/octocatalog-diff/tests/util/parallel_spec.rb b/spec/octocatalog-diff/tests/util/parallel_spec.rb
@@ -343,8 +343,8 @@ def two(arg, _logger = nil)
       expect(two_result.exception).to eq(nil)
       expect(two_result.output).to match(/^two def \d+$/)
 
-      one_time = Regexp.last_match(1).to_i if one_result.output =~ /(\d+)$/
-      two_time = Regexp.last_match(1).to_i if two_result.output =~ /(\d+)$/
+      one_time = Regexp.last_match(1).to_i if one_result.output =~ /(\d+{1,1000})$/
+      two_time = Regexp.last_match(1).to_i if two_result.output =~ /(\d+{1,1000})$/
       expect(one_time).to be < two_time
     end