Address CodeQL security alerts #6609
Conversation
| @@ -795,7 +795,7 @@ def generated_sorbet_rbi? | |||
| return false unless lines.count >= 5 | |||
| lines[0].match?(/^# typed:/) && | |||
| lines[2].include?("DO NOT EDIT MANUALLY") && | |||
| lines[4].match?(/^# Please.*run.*`.*tapioca/) | |||
| lines[4].match?(/^# Please (run|instead update this file by running) `bin\/tapioca/) | |||
There was a problem hiding this comment.
From the alert:
"This regular expression that depends on a library input may run slow on strings starting with '# Pleaserun' and with many repetitions of 'run'."
| return lines[0].match(/\/\* GIMP [a-zA-Z0-9\- ]+ C\-Source image dump \(.+?\.c\) \*\//) || | ||
| lines[0].match(/\/\* GIMP header image file format \([a-zA-Z0-9\- ]+\)\: .+?\.h \*\//) | ||
| return lines[0].match(/^\/\* GIMP [a-zA-Z0-9\- ]+ C\-Source image dump \(.+?\.c\) \*\//) || | ||
| lines[0].match(/^\/\* GIMP header image file format \([a-zA-Z0-9\- ]+\)\: .+?\.h \*\//) |
There was a problem hiding this comment.
From the alert:
"This regular expression that depends on a library input may run slow on strings starting with '/* GIMP header image file format ( ): ' and with many repetitions of '/* GIMP header image file format ( ): '.
| @@ -693,8 +693,8 @@ def generated_gamemakerstudio? | |||
| def generated_gimp? | |||
| return false unless ['.c', '.h'].include? extname | |||
| return false unless lines.count > 0 | |||
| return lines[0].match(/\/\* GIMP [a-zA-Z0-9\- ]+ C\-Source image dump \(.+?\.c\) \*\//) || | |||
| lines[0].match(/\/\* GIMP header image file format \([a-zA-Z0-9\- ]+\)\: .+?\.h \*\//) | |||
| return lines[0].match(/^\/\* GIMP [a-zA-Z0-9\- ]+ C\-Source image dump \(.+?\.c\) \*\//) || | |||
There was a problem hiding this comment.
From the alert:
"This regular expression that depends on a library input may run slow on strings starting with '/* GIMP C-Source image dump (' and with many repetitions of '/* GIMP C-Source image dump ('."
| @@ -301,7 +301,7 @@ def generated_postscript? | |||
|
|
|||
| # Type 1 and Type 42 fonts converted to PostScript are stored as hex-encoded byte streams; these | |||
| # streams are always preceded the `eexec` operator (if Type 1), or the `/sfnts` key (if Type 42). | |||
| return true if data =~ /(\n|\r\n|\r)\s*(?:currentfile eexec\s+|\/sfnts\s+\[\1<)\h{8,}\1/ | |||
| return true if data =~ /^\s*(?:currentfile eexec\s+|\/sfnts\s+\[\s<)/ | |||
There was a problem hiding this comment.
From the alert:
"This regular expression that depends on a library input may run slow on strings starting with '\n' and with many repetitions of '\n'."
This seems the most silly to me, but I also realised this is probably more complex than it really needs to be so I've simplified it. It was also Ruby-specific.
Description
CodeQL has been enabled on this repo and the analysis has revealed two issues repeated a few times that this PR addresses:
Kernel.openorIO.reador similar sinks with a non-constant value