RegExpInjection takes 6 hours to scan the TypeScript repo after 2.20.2 #18584
Labels
acknowledged
GitHub staff acknowledges this issue
Comments
|
What I see is a lot of: |
|
@github/codeql-javascript : Can you take a look, please? |
|
Thanks for the report! This seems to be consequence of our recent switch to the same data flow library used by other languages. There are rare cases where this type of slowdown can occur and we're looking into ways to fix it, but for now I've added this reproduction case to our internal tracking issue. In the meantime, your workaround makes sense, especially if you don't consider regexp injection to be a security issue in this repository. |
|
Filed a similar Issue for Thanks for taking the taking the time to report the original @jakebailey ! inspired me to do the same |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the issue
The GitHub hosted runners switched from 2.20.1 to 2.20.2, and now the
RegExpInjectionrule takes 6ish hours on the TypeScript repo.Before: https://github.com/microsoft/TypeScript/actions/runs/12920012966/job/36031579264
After: https://github.com/microsoft/TypeScript/actions/runs/12937825177/job/36086609739?pr=61034
I suspect this is due to the TypeScript compiler generating
RegExpinstances at runtime in order to implement file globbing; their inputs are technically from user input, but it's parsed out and constructed from known syntax with limitations. Even if these were poorly constructed, this is not a security problem; it just make's a user's own compilation slow.The changelog for 2.20.2 mentions this, so it's possible the analysis is running away.
https://codeql.github.com/docs/codeql-overview/codeql-changelog/codeql-cli-2.20.0/#javascript-typescript
The text was updated successfully, but these errors were encountered: