Security: Regular Expression Denial of Service (ReDoS) in glob pattern compilation#243
Conversation
…dos) in gl The `compileGlobPattern` function in match-glob-pattern.ts compiles user-provided glob patterns into regular expressions without any timeout or complexity limits. Malicious patterns like `**/a*` repeated many times or with nested quantifiers could cause catastrophic backtracking. Affected files: match-glob-pattern.ts Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
|
🔴 React Review — 0/100 (unchanged) · No new issues Reviewed by react-review for commit 66f7bc6. Configure here. |
|
@tuanaiseo is attempting to deploy a commit to the Million Team on Vercel. A member of the Team first needs to authorize it. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 66f7bc6. Configure here.
| const wildcardCount = (pattern.match(/[*?]/g) || []).length; | ||
| if (wildcardCount > MAX_WILDCARDS) { | ||
| throw new Error(`Glob pattern exceeds maximum wildcard count of ${MAX_WILDCARDS}`); | ||
| } |
There was a problem hiding this comment.
ReDoS mitigation is insufficient despite length/wildcard limits
High Severity
The pattern length and wildcard count limits don't actually prevent catastrophic backtracking. A pattern like **a**a**a**a**a (15 chars, 10 wildcards — well within both limits) compiles to ^.*a.*a.*a.*a.*a.*$, which has multiple overlapping .* quantifiers that cause exponential backtracking on adversarial inputs. The compiled regex complexity is never validated, so the ReDoS vulnerability the PR claims to fix remains exploitable. A proper fix needs to either validate the compiled regex (e.g., via safe-regex) or restructure the generated patterns to avoid overlapping quantifiers.
Reviewed by Cursor Bugbot for commit 66f7bc6. Configure here.
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
| const REGEX_SPECIAL_CHARACTERS = /[.+^${}()|[\]\\]/g; | ||
|
|
||
| const MAX_PATTERN_LENGTH = 500; | ||
| const MAX_WILDCARDS = 20; |
There was a problem hiding this comment.
| const MAX_WILDCARDS = 20; | |
| const MAX_WILDCARDS = 10; |
MAX_WILDCARDS limit of 20 is insufficient to prevent ReDoS attacks, allowing patterns that cause multi-second or timeout-level delays
2 participants
Problem
The
compileGlobPatternfunction in match-glob-pattern.ts compiles user-provided glob patterns into regular expressions without any timeout or complexity limits. Malicious patterns like**/a*repeated many times or with nested quantifiers could cause catastrophic backtracking.Severity:
highFile:
packages/react-doctor/src/core/config/match-glob-pattern.tsSolution
Implement a regex complexity check or use a library like
safe-regexto validate the compiled regex for potential ReDoS. Alternatively, use a glob-to-regex library with built-in protection.Changes
packages/react-doctor/src/core/config/match-glob-pattern.ts(modified)Testing
Note
Medium Risk
Adds hard limits that now throw errors for overly long or wildcard-heavy ignore patterns, which could break existing configs that relied on very large globs. Change is localized but affects config parsing for ignore rules.
Overview
Mitigates potential ReDoS in
compileGlobPatternby enforcing maximum glob length and wildcard count before compiling to aRegExp.Invalid/overly complex patterns now throw explicit errors, impacting ignore file/override pattern compilation that calls this helper.
Reviewed by Cursor Bugbot for commit 66f7bc6. Bugbot is set up for automated code reviews on this repo. Configure here.