Fix ReDoS in secret scanning regex patterns

[Copilot]

Fix ReDoS Vulnerability in Secret Scanning Regex Patterns ✅

Completed Tasks

• Merge main branch into PR branch
• Fix test assertions for new ***REDACTED*** format
• Verify all 38 tests pass
• Format and lint JavaScript code

Changes Summary

1. Merged main branch

Integrated two security fixes from main:

• Reduced minimum secret length from 8 to 6 characters
• Changed redaction format from prefix preservation (abc***) to fixed-length (***REDACTED***)

2. Fixed ReDoS Vulnerability (Original Changes)

Azure SAS Token pattern (line 58):

• Before: /\?sv=[0-9-]+&s[rts]=[\w\-]+&sig=[A-Za-z0-9%+/=]+/g
• After: /\?sv=[0-9-]{1,20}&s[rts]=[\w\-]{1,20}&sig=[A-Za-z0-9%+/=]{1,200}/g

Google OAuth Access Token pattern (line 62):

• Before: /ya29\.[0-9A-Za-z_-]+/g
• After: /ya29\.[0-9A-Za-z_-]{1,800}/g

3. Updated Test Assertions

Fixed test expectations to match new redaction format:

• "abc***" → "***REDACTED***"
• "ya2************" → "***REDACTED***"
• Pathological input tests now check for ***REDACTED*** format

Test Results

✅ All 38 tests pass (33 existing + 4 ReDoS protection + 1 new 6-char test)
✅ JavaScript formatting validated
✅ JavaScript linting validated

Security Impact

Combined with main's changes, this PR provides:

1. ReDoS protection: Bounded quantifiers prevent exponential backtracking
2. Reduced false negatives: 6-character secrets now redacted (was 8)
3. Enhanced security: Fixed-length redaction prevents information disclosure

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot merge main, fix tests

[Copilot]

@copilot merge main, fix tests

Merged main and fixed tests. All 38 tests passing now (commit 75b6343).

The merge included two security fixes from main that changed redaction behavior:

• Minimum secret length: 8 → 6 characters
• Redaction format: abc*** → ***REDACTED***

Updated test assertions accordingly.

[Copilot]

Pull request overview

This PR fixes a Regular Expression Denial of Service (ReDoS) vulnerability in the secret scanning regex patterns by adding bounded quantifiers to two patterns that previously used unbounded quantifiers. The changes also include merging recent security improvements from the main branch and updating test assertions to match the new redaction format.

Changes:

• Fixed ReDoS vulnerability in Azure SAS Token and Google OAuth Access Token regex patterns by replacing unbounded quantifiers (+) with bounded quantifiers ({1,20}, {1,200}, {1,800})
• Updated test assertion on line 109 to use new ***REDACTED*** format instead of prefix-preserving format
• Added comprehensive ReDoS protection tests covering pathological inputs, timing verification, and validation that legitimate tokens still match

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
actions/setup/js/redact_secrets.cjs	Added bounded quantifiers to Azure SAS Token and Google OAuth Access Token regex patterns to prevent ReDoS attacks
actions/setup/js/redact_secrets.test.cjs	Updated test assertion for new redaction format and added 4 comprehensive ReDoS protection tests

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.