[I] User Input Used Directly as RegExp Without Escaping in Project Directory Filter (tooling-trusted-releases)

Mon, 30 Mar 2026 18:35:11 -0700 


asf-tooling opened a new issue, #989:
URL: https://github.com/apache/tooling-trusted-releases/issues/989

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   User input from the project filter textbox is passed directly to `new 
RegExp()` without escaping special characters, allowing regex metacharacters to 
be interpreted as pattern syntax rather than literal characters. This creates a 
ReDoS vulnerability where patterns like `(a+)+` can cause catastrophic 
backtracking and browser unresponsiveness. Invalid regex characters (e.g., `[`, 
`(`) cause unhandled exceptions, breaking the filter functionality entirely. 
Users expecting literal text search get unexpected wildcard behavior (e.g., `.` 
matches any character).
   
   ### Details
   **Affected Files and Lines:**
   - `atr/static/js/src/projects-directory.js:25-31` - RegExp without escaping
   
   User input is used directly as a regex pattern without escaping special 
characters, allowing ReDoS and unexpected behavior.
   
   ### Recommended Remediation
   Apply escaping to all regex special characters before constructing the 
RegExp object:
   
   ```javascript
   const escapedFilter = projectFilter.replaceAll(/[.*+?^${}()|[\]\\]/g, 
'\\$&');
   const regex = new RegExp(escapedFilter, 'i');
   ```
   
   **Alternative:** Use `String.includes()` for simple text search instead of 
regex:
   
   ```javascript
   const lowerFilter = projectFilter.toLowerCase();
   projectRows.forEach(row => {
       const projectName = row.dataset.projectName.toLowerCase();
       row.style.display = projectName.includes(lowerFilter) ? '' : 'none';
   });
   ```
   
   ### Acceptance Criteria
   - [ ] Regex escaping implemented OR
   - [ ] String.includes() used instead
   - [ ] ReDoS prevented
   - [ ] Invalid characters handled
   - [ ] Literal text search works
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L2:1.2.9.md, L2:1.3.3.md
   - Related findings: FINDING-212
   - ASVS sections: 1.2.9, 1.3.3
   
   ### Priority
   Medium
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to