fix: prevent ReDoS vulnerability in regex validation

[R-Panic]

CVE-2025-5891 - Regular Expression Denial of Service vulnerability

Description

This PR fixes a ReDoS vulnerability in the configuration validator where regex patterns could be repeatedly compiled on each validation, and unbounded input strings could cause exponential backtracking attacks.

Changes

• Add regex pattern cache to prevent repeated compilation
• Limit regex input length to 10,000 characters to prevent DoS
• Wrap regex compilation in try/catch to handle invalid patterns gracefully
• Improve performance by reusing compiled regex objects

Vulnerability Details

• CVE ID: CVE-2025-5891
• CWE: CWE-1333 (Inefficient Regular Expression Complexity), CWE-400 (Uncontrolled Resource Consumption)
• Severity: Medium
• File: lib/tools/Config.js
• Issue: Unbounded input + regex recompilation could lead to ReDoS

Testing

The fix:

• Maintains backward compatibility
• Adds safe limits on regex validation
• Caches compiled regex for better performance
• Handles invalid regex patterns gracefully

Fixes #6086

Signed-off-by: R-Panic bot@term.com

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

TermBot seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}