Skip to content

fix(ast builder): literal list being coerced as string #1059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(ast builder): literal list being coerced as string #1059

wants to merge 1 commit into from

Conversation

@ChibiBlasphem
Copy link
Contributor

  • List coercion wasn't supporting "non-word" characters insider the strings, make it possible to contain anything being not (" , ] [)

@ChibiBlasphem ChibiBlasphem force-pushed the fix/ast-builder/list-cercion branch from 8c48e24 to a7d0a6e Compare August 29, 2025 15:42
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 29, 2025
View reviewed changes
packages/app-builder/src/components/AstBuilder/edition/coerceToConstantAstNode.ts

const isNumberArray = /^\[(\s*(\d+(\.\d+)?)\s*,?)*(\s*|\])$/;
const isStringArray = /^\[(\s*"?(\w+)"?\s*,?)*(\s*|\])$/;
const isStringArray = /^\[(\s*"?([^",[\]]+)"?\s*,?)*(\s*|\])$/;

Check failure

Code scanning / CodeQL

Inefficient regular expression High

This part of the regular expression may cause exponential backtracking on strings starting with '[' and containing many repetitions of '!'.

Copilot Autofix

AI about 2 months ago

To fix this issue, we need to rewrite the regular expression on line 48 to avoid ambiguity within repeated alternatives. The main concern is that ([^",[\]]+) appears inside a structure where the engine might consider multiple paths to match a substring of the input, especially if the input contains characters like [ at certain places.

The fix is to rewrite the inner pattern to make it unambiguous and avoid catastrophic backtracking. This can be done by using a non-capturing group, ensuring no overlapping, or being more precise in matching strings between delimiters. Since the intent is to match an array-like string, a safer alternative is to more narrowly match quoted strings or non-quote, non-bracket substrings using a non-greedy approach or atomic groups (ES2018+), or alternatively change + to *, ensuring it accepts empty fields as well. But the core of the fix is to rework [^",[\]]+ so that it cannot match the empty string or repeatedly lead to ambiguous parses.

One robust alternative for array string matching is to match only quoted substrings, or if supporting unquoted as well, make the branch for quoted and unquoted values separate and unambiguous. For now, a direct improvement, per the general advice, is to replace ([^",[\]]+) with ([^",[\]]*) and adjust the rest accordingly, or be even stricter.

Additionally, since we only have access to the file containing the regex definition, we only need to update the regex at line 48.

Suggested changeset 1
packages/app-builder/src/components/AstBuilder/edition/coerceToConstantAstNode.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/app-builder/src/components/AstBuilder/edition/coerceToConstantAstNode.ts b/packages/app-builder/src/components/AstBuilder/edition/coerceToConstantAstNode.ts
--- a/packages/app-builder/src/components/AstBuilder/edition/coerceToConstantAstNode.ts
+++ b/packages/app-builder/src/components/AstBuilder/edition/coerceToConstantAstNode.ts
@@ -45,7 +45,7 @@
 }
 
 const isNumberArray = /^\[(\s*(\d+(\.\d+)?)\s*,?)*(\s*|\])$/;
-const isStringArray = /^\[(\s*"?([^",[\]]+)"?\s*,?)*(\s*|\])$/;
+const isStringArray = /^\[(\s*"?([^",[\]]*)"?\s*,?)*\s*\]$/;
 
 const captureNumbers = /(?:\s*(?<numbers>\d+(\.\d+)?)\s*,?)/g;
 const captureStrings = /(?:\s*"?(?<strings>[^",[\]]*[^",[\]])"?\s*,?)/g;
EOF
@@ -45,7 +45,7 @@
}

const isNumberArray = /^\[(\s*(\d+(\.\d+)?)\s*,?)*(\s*|\])$/;
const isStringArray = /^\[(\s*"?([^",[\]]+)"?\s*,?)*(\s*|\])$/;
const isStringArray = /^\[(\s*"?([^",[\]]*)"?\s*,?)*\s*\]$/;

const captureNumbers = /(?:\s*(?<numbers>\d+(\.\d+)?)\s*,?)/g;
const captureStrings = /(?:\s*"?(?<strings>[^",[\]]*[^",[\]])"?\s*,?)/g;
Copilot is powered by AI and may make mistakes. Always verify output.
Pascal-Delange
Pascal-Delange approved these changes Sep 1, 2025
View reviewed changes
Copy link
Contributor

@Pascal-Delange Pascal-Delange left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, though I'm not the regexp expert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Pascal-Delange Pascal-Delange Pascal-Delange approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ChibiBlasphem @Pascal-Delange