Skip to content

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Nov 9, 2021

The idea of this PR is that /a{0,100}/ is close enough to /a*/ that we can just treat them the same.
Gets us one step closer to flagging CVE-2021-22902.

Evaluations: Ruby, Python, JavaScript look OK.
The JavaScript evaluation shows that an FP was fixed.

@erik-krogh erik-krogh force-pushed the railsReDoS branch 2 times, most recently from 0e37892 to a983693 Compare November 10, 2021 08:39
@erik-krogh erik-krogh changed the title JS/PY/RB: treat ranges that have no lower-bound as a plus for ReDoS analysis JS/PY/RB: support a limited number of ranges for ReDoS analysis Nov 10, 2021
@erik-krogh erik-krogh marked this pull request as ready for review November 10, 2021 13:06
@erik-krogh erik-krogh requested review from a team as code owners November 10, 2021 13:06
yoff
yoff previously approved these changes Nov 12, 2021
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

nickrolfe
nickrolfe previously approved these changes Nov 25, 2021
Comment on lines 101 to 102
import RegExpTreeView

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not a repetition of line 86?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is.
I'll remove the redundancy.

@erik-krogh
Copy link
Contributor Author

I've rebased this PR on main.
Can I get a final review?

Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from JS

@erik-krogh erik-krogh merged commit 89bab6a into github:main Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants