Skip to content

Potential fix for code scanning alert no. 81: Inefficient regular expression#40

Merged
mokesano merged 6 commits into
mainfrom
alert-autofix-81
Jun 2, 2026
Merged

Potential fix for code scanning alert no. 81: Inefficient regular expression#40
mokesano merged 6 commits into
mainfrom
alert-autofix-81

Conversation

@mokesano

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/mokesano/editorial-pro/security/code-scanning/81

General fix approach: remove the catastrophic-backtracking regex and replace it with deterministic validation logic that runs in linear time. For email validation, a practical and safe approach is to split at @, validate local/domain parts with simple bounded checks, and validate domain labels with non-ambiguous regexes.

Best fix here (without changing intended functionality of “email, but TLD optional”): in public/js/core-library/lib/jquery/plugins/validate/additional-methods.js, replace the email2 method body on line 182 with a call to a new helper function isSafeEmailWithOptionalTld(value). Add that helper in the same file (near email2) using simple checks:

  • exactly one @
  • non-empty local and domain
  • local part allowed chars and no leading/trailing/consecutive dots
  • domain supports either single label or dot-separated labels
  • each label starts/ends alnum/Unicode-range char; middle chars limited to [\w.~-]-style subset consistent with existing behavior
  • no nested ambiguous quantified alternations

No new imports are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…ression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@mokesano mokesano self-assigned this Apr 28, 2026
@mokesano mokesano requested a review from archoun April 28, 2026 11:05
@mokesano mokesano added bug Something isn't working documentation Improvements or additions to documentation enhancement New feature or request labels Apr 28, 2026
@mokesano mokesano marked this pull request as ready for review April 28, 2026 11:05

@codacy-production codacy-production Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request currently contains no code changes, despite the title and description indicating a fix for a ReDoS vulnerability (Alert #81). The implementation of the isSafeEmailWithOptionalTld helper function and the update to the email2 validator are entirely missing from the diff. Additionally, no unit tests were provided to verify the proposed logic or prevent regressions. This PR cannot be reviewed or merged in its current state.

About this PR

  • The pull request contains no code changes. The implementation described in the PR description (the isSafeEmailWithOptionalTld function and the update to the email2 method) is entirely missing from the provided diff.
  • There are no unit tests included to verify the new validation logic or to ensure no regressions occur for the email2 method.

Test suggestions

  • Missing: Validate a standard email address with a TLD
  • Missing: Validate an email address without a TLD
  • Missing: Reject email addresses with multiple '@' symbols
  • Missing: Reject email addresses with consecutive dots in the local part
  • Missing: Reject email addresses with empty local or domain parts
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Missing: Validate a standard email address with a TLD
2. Missing: Validate an email address without a TLD
3. Missing: Reject email addresses with multiple '@' symbols
4. Missing: Reject email addresses with consecutive dots in the local part
5. Missing: Reject email addresses with empty local or domain parts

TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback

@codacy-production

codacy-production Bot commented May 15, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 1 high · 1 medium

Alerts:
⚠ 2 issues (≤ 0 issues of at least minor severity)

Results:
2 new issues

Category Results
ErrorProne 1 high
Complexity 1 medium

View in Codacy

🟢 Metrics 0 complexity · 2 duplication

Metric Results
Complexity 0
Duplication 2

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes.

@mokesano mokesano left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@mokesano mokesano merged commit d33dafa into main Jun 2, 2026
11 checks passed
@mokesano mokesano deleted the alert-autofix-81 branch June 2, 2026 12:28
@github-project-automation github-project-automation Bot moved this from Todo to Done in wizdam-fork Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation enhancement New feature or request

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants