Commit a3e45a0
committed
fix(regex_redos): don't flag ? quantifier as nested quantifier vulnerability
The ? quantifier (0 or 1 times) cannot cause exponential backtracking
when used as the outer quantifier because it matches at most once.
Only unbounded quantifiers (+, *, {n,m} where m>1) should be flagged.
This fixes false positives for patterns like:
- ^/([_0-9a-zA-Z-]+/)?core/cache/...
- ^/([a-z]+/)?foo/bar
The change modifies the condition from checking if max > min (which is
true for ?) to checking if max > 1 (which excludes ?).
Fixes false positives reported in user configs with WP Rocket caching
rules that use optional prefix patterns.1 parent 7656517 commit a3e45a0
File tree
3 files changed
+61
-7
lines changed- gixy/plugins
- tests/plugins
- simply/regex_redos
3 files changed
+61
-7
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
125 | 125 | | |
126 | 126 | | |
127 | 127 | | |
128 | | - | |
129 | | - | |
130 | | - | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
131 | 134 | | |
132 | 135 | | |
133 | | - | |
| 136 | + | |
134 | 137 | | |
135 | 138 | | |
136 | 139 | | |
| |||
158 | 161 | | |
159 | 162 | | |
160 | 163 | | |
161 | | - | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
162 | 169 | | |
163 | 170 | | |
164 | 171 | | |
| |||
175 | 182 | | |
176 | 183 | | |
177 | 184 | | |
178 | | - | |
| 185 | + | |
179 | 186 | | |
180 | 187 | | |
181 | 188 | | |
182 | | - | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
183 | 192 | | |
184 | 193 | | |
185 | 194 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
141 | 141 | | |
142 | 142 | | |
143 | 143 | | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
144 | 177 | | |
145 | 178 | | |
146 | 179 | | |
| |||
0 commit comments