🔒 Enhance security: Refactor SQL and JS injection patterns; add ReDoS test cases for input validation.

pcrespov · pcrespov · commit c67e3c5cec1f · 2025-10-16T20:11:07.000+02:00
diff --git a/packages/models-library/src/models_library/string_types.py b/packages/models-library/src/models_library/string_types.py
@@ -19,12 +19,10 @@
 _LONG_TRUNCATED_STR_MAX_LENGTH: Final[int] = 65536  # same as github descriptions
 
 _SQL_INJECTION_PATTERN: Final[re.Pattern] = re.compile(
-    r"(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|EXEC|TRUNCATE|MERGE|GRANT|REVOKE|COMMIT|ROLLBACK|DECLARE|CAST|CONVERT)\b|--|;|/\*|\*/|')",
-    re.IGNORECASE,
+    r"(?i)\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|EXEC|TRUNCATE|MERGE|GRANT|REVOKE|COMMIT|ROLLBACK|DECLARE|CAST|CONVERT)\b|--|;|/\*|\*/|'",
 )
 _JS_INJECTION_PATTERN: Final[re.Pattern] = re.compile(
-    r"(<\s*script.*?>|</\s*script\s*>|<\s*iframe.*?>|</\s*iframe\s*>|<\s*object.*?>|</\s*object\s*>|<\s*embed.*?>|</\s*embed\s*>|<\s*link[^>]*href\s*=\s*[\"']?\s*javascript:|vbscript:|javascript:|data:text/html|&#x6A;avascript:|&#106;avascript:|<\s*img[^>]*onerror\s*=|<\s*svg[^>]*onload\s*=|on[a-z]+\s*=)",
-    re.IGNORECASE,
+    r"(?i)<(?:script|iframe|object|embed)\b[^>]*>|</(?:script|iframe|object|embed)>|<link\b[^>]*href\s*=\s*[\"']?\s*javascript:|(?:vb|java)script:|data:text/html|&#(?:x6A|106);avascript:|<(?:img|svg)\b[^>]*on\w+\s*=|on[a-z]+\s*=",
 )
 STRING_UNSAFE_CONTENT_ERROR_CODE: Final[str] = "string_unsafe_content"
 
diff --git a/packages/models-library/tests/test_string_types.py b/packages/models-library/tests/test_string_types.py
@@ -112,6 +112,19 @@ class InputRequestModel(BaseModel):
         pytest.param(
             "SafeName", "&#106;avascript:alert(1)", False, id="invalid-desc-encoded-js"
         ),
+        # ❌ ReDoS (Regular expression Denial of Service) test patterns
+        pytest.param(
+            "SafeName",
+            "<script" + ">" * 1000 + "alert(1)</script>",
+            False,
+            id="redos-nested-tags",
+        ),
+        pytest.param(
+            "SafeName",
+            "SELECT " + "a" * 10000 + " FROM users",
+            False,
+            id="redos-long-sql-keyword",
+        ),
     ],
 )
 def test_safe_string_types(name: str, description: str, should_pass: bool):

Original file line number	Diff line number	Diff line change
`@@ -19,12 +19,10 @@`
`19`	`19`	`_LONG_TRUNCATED_STR_MAX_LENGTH: Final[int] = 65536 # same as github descriptions`
`20`	`20`
`21`	`21`	`_SQL_INJECTION_PATTERN: Final[re.Pattern] = re.compile(`
`22`		`- r"(\b(SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|EXEC\|TRUNCATE\|MERGE\|GRANT\|REVOKE\|COMMIT\|ROLLBACK\|DECLARE\|CAST\|CONVERT)\b\|--\|;\|/\\|\/\|')",`
`23`		`- re.IGNORECASE,`
	`22`	`+ r"(?i)\b(?:SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|EXEC\|TRUNCATE\|MERGE\|GRANT\|REVOKE\|COMMIT\|ROLLBACK\|DECLARE\|CAST\|CONVERT)\b\|--\|;\|/\\|\/\|'",`
`24`	`23`	`)`
`25`	`24`	`_JS_INJECTION_PATTERN: Final[re.Pattern] = re.compile(`
`26`		`- r"(<\sscript.?>\|</\sscript\s>\|<\siframe.?>\|</\siframe\s>\|<\sobject.?>\|</\sobject\s>\|<\sembed.?>\|</\sembed\s>\|<\slink[^>]href\s=\s[\"']?\sjavascript:\|vbscript:\|javascript:\|data:text/html\|javascript:\|javascript:\|<\simg[^>]onerror\s=\|<\ssvg[^>]onload\s=\|on[a-z]+\s=)",`
`27`		`- re.IGNORECASE,`
	`25`	`+ r"(?i)<(?:script\|iframe\|object\|embed)\b[^>]>\|</(?:script\|iframe\|object\|embed)>\|<link\b[^>]href\s=\s[\"']?\sjavascript:\|(?:vb\|java)script:\|data:text/html\|&#(?:x6A\|106);avascript:\|<(?:img\|svg)\b[^>]on\w+\s=\|on[a-z]+\s=",`
`28`	`26`	`)`
`29`	`27`	`STRING_UNSAFE_CONTENT_ERROR_CODE: Final[str] = "string_unsafe_content"`
`30`	`28`