Bug report β Misleading regex operator precedence vulnerabilityΒ #2036
Description
While performing a static code quality or security analysis (e.g., ESLint, SonarQube), the following warning appears in edr_target/elementary_report.html:
Misleading operator precedence. The subexpression '^px' is anchored at the beginning,
but the other parts of this regular expression are not
Misleading operator precedence. The subexpression 'Q$' is anchored at the end,
but the other parts of this regular expression are not
This typically indicates that the regular expression uses anchors (^ or $) on only part of the expression,
which can lead to ambiguous matching behavior and, in some cases, potential ReDoS vulnerabilities.
^px|Q$
This pattern anchors px at the start and Q at the end, but leaves other branches unanchored.
Depending on context, this can behave unexpectedly or be flagged by static analysis tools.
Expected behavior
No misleading operator precedence warning should be raised,
and regex anchoring should be consistent across the entire expression.
Questions
1- Is this regex still in active use in the latest version of elementary?
2- If yes, is there a planned fix or refactor to address the anchoring issue?
3- If it has already been fixed, could you confirm in which version?
Screenshots
If applicable, add screenshots to help explain your problem.
Environment (please complete the following information):
Package: elementary-data/elementary version: 0.18.3
DBT Core Version: 1.8.7
Context: Static analysis of edr_target/elementary_report.html
Detected by: Security or linter tool (e.g., SonarQube / ESLint)