🔒 Enhance security: Refine SQL and JS injection patterns; improve ReDoS test cases for input validation.

pcrespov · pcrespov · commit b12e139d9a48 · 2025-10-16T20:23:29.000+02:00
diff --git a/packages/models-library/src/models_library/string_types.py b/packages/models-library/src/models_library/string_types.py
@@ -19,10 +19,10 @@
 _LONG_TRUNCATED_STR_MAX_LENGTH: Final[int] = 65536  # same as github descriptions
 
 _SQL_INJECTION_PATTERN: Final[re.Pattern] = re.compile(
-    r"(?i)\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|EXEC|TRUNCATE|MERGE|GRANT|REVOKE|COMMIT|ROLLBACK|DECLARE|CAST|CONVERT)\b|--|;|/\*|\*/|'",
+    r"(?i)(?:\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|EXEC|TRUNCATE|MERGE|GRANT|REVOKE|COMMIT|ROLLBACK|DECLARE|CAST|CONVERT)\b|--|;|/\*|\*/|')",
 )
 _JS_INJECTION_PATTERN: Final[re.Pattern] = re.compile(
-    r"(?i)<(?:script|iframe|object|embed)\b[^>]*>|</(?:script|iframe|object|embed)>|<link\b[^>]*href\s*=\s*[\"']?\s*javascript:|(?:vb|java)script:|data:text/html|&#(?:x6A|106);avascript:|<(?:img|svg)\b[^>]*on\w+\s*=|on[a-z]+\s*=",
+    r"(?i)<(?:script|iframe|object|embed)(?:\s[^>]{0,100})?>|</(?:script|iframe|object|embed)>|<link(?:\s[^>]{0,200})?href\s*=\s*[\"']?\s*javascript:|(?:vb|java)script:|data:text/html|&#(?:x6A|106);avascript:|<(?:img|svg)(?:\s[^>]{0,200})?on\w+\s*=|on[a-z]+\s*=",
 )
 STRING_UNSAFE_CONTENT_ERROR_CODE: Final[str] = "string_unsafe_content"
 
diff --git a/packages/models-library/tests/test_string_types.py b/packages/models-library/tests/test_string_types.py
@@ -115,15 +115,27 @@ class InputRequestModel(BaseModel):
         # ❌ ReDoS (Regular expression Denial of Service) test patterns
         pytest.param(
             "SafeName",
-            "<script" + ">" * 1000 + "alert(1)</script>",
+            "<script" + " " * 200 + ">alert(1)</script>",
             False,
-            id="redos-nested-tags",
+            id="redos-script-spaces",
         ),
         pytest.param(
             "SafeName",
-            "SELECT " + "a" * 10000 + " FROM users",
+            "<img" + " src='x'" * 100 + " onerror='alert(1)'>",
             False,
-            id="redos-long-sql-keyword",
+            id="redos-img-attributes",
+        ),
+        pytest.param(
+            "SafeName",
+            "SELECT" + " " * 1000 + "* FROM users",
+            False,
+            id="redos-sql-spaces",
+        ),
+        pytest.param(
+            "SafeName",
+            "/*" + "*" * 500 + "*/ SELECT data",
+            False,
+            id="redos-sql-nested-comments",
         ),
     ],
 )

Original file line number	Diff line number	Diff line change
`@@ -19,10 +19,10 @@`
`19`	`19`	`_LONG_TRUNCATED_STR_MAX_LENGTH: Final[int] = 65536 # same as github descriptions`
`20`	`20`
`21`	`21`	`_SQL_INJECTION_PATTERN: Final[re.Pattern] = re.compile(`
`22`		`- r"(?i)\b(?:SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|EXEC\|TRUNCATE\|MERGE\|GRANT\|REVOKE\|COMMIT\|ROLLBACK\|DECLARE\|CAST\|CONVERT)\b\|--\|;\|/\\|\/\|'",`
	`22`	`+ r"(?i)(?:\b(?:SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|EXEC\|TRUNCATE\|MERGE\|GRANT\|REVOKE\|COMMIT\|ROLLBACK\|DECLARE\|CAST\|CONVERT)\b\|--\|;\|/\\|\/\|')",`
`23`	`23`	`)`
`24`	`24`	`_JS_INJECTION_PATTERN: Final[re.Pattern] = re.compile(`
`25`		`- r"(?i)<(?:script\|iframe\|object\|embed)\b[^>]>\|</(?:script\|iframe\|object\|embed)>\|<link\b[^>]href\s=\s[\"']?\sjavascript:\|(?:vb\|java)script:\|data:text/html\|&#(?:x6A\|106);avascript:\|<(?:img\|svg)\b[^>]on\w+\s=\|on[a-z]+\s=",`
	`25`	`+ r"(?i)<(?:script\|iframe\|object\|embed)(?:\s[^>]{0,100})?>\|</(?:script\|iframe\|object\|embed)>\|<link(?:\s[^>]{0,200})?href\s=\s[\"']?\sjavascript:\|(?:vb\|java)script:\|data:text/html\|&#(?:x6A\|106);avascript:\|<(?:img\|svg)(?:\s[^>]{0,200})?on\w+\s=\|on[a-z]+\s*=",`
`26`	`26`	`)`
`27`	`27`	`STRING_UNSAFE_CONTENT_ERROR_CODE: Final[str] = "string_unsafe_content"`
`28`	`28`