Merge pull request #298 from github/codeql-polynomial-regex

jhongturney · web-flow · commit 2085cceffdfa · 2024-05-21T11:35:55.000-07:00
CodeQL - Limit polynomial regex to only match 1000 characters at most
diff --git a/lib/octocatalog-diff/catalog-util/command.rb b/lib/octocatalog-diff/catalog-util/command.rb
@@ -91,7 +91,7 @@ def setup
         facts_terminus = @options.fetch(:facts_terminus, 'yaml')
         if facts_terminus == 'yaml'
           cmdline << "--factpath=#{Shellwords.escape(File.join(@compilation_dir, 'var', 'yaml', 'facts'))}"
-          if @options[:fact_file].is_a?(String) && @options[:fact_file] =~ /.*\.(\w+)$/
+          if @options[:fact_file].is_a?(String) && @options[:fact_file] =~ /.*{1,1000}\.(\w+)$/
             fact_file = File.join(@compilation_dir, 'var', 'yaml', 'facts', "#{@node}.#{Regexp.last_match(1)}")
             FileUtils.cp @options[:fact_file], fact_file unless File.file?(fact_file) || @options[:fact_file] == fact_file
           end
diff --git a/spec/octocatalog-diff/tests/util/parallel_spec.rb b/spec/octocatalog-diff/tests/util/parallel_spec.rb
@@ -343,8 +343,8 @@ def two(arg, _logger = nil)
       expect(two_result.exception).to eq(nil)
       expect(two_result.output).to match(/^two def \d+$/)
 
-      one_time = Regexp.last_match(1).to_i if one_result.output =~ /(\d+)$/
-      two_time = Regexp.last_match(1).to_i if two_result.output =~ /(\d+)$/
+      one_time = Regexp.last_match(1).to_i if one_result.output =~ /(\d+{1,1000})$/
+      two_time = Regexp.last_match(1).to_i if two_result.output =~ /(\d+{1,1000})$/
       expect(one_time).to be < two_time
     end
 
