wip

sebastienfontaine · sebastienfontaine · commit df9b4639621d · 2025-10-10T16:45:19.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,7 @@ dummy-*
 html/
 
 tsconfig.tsbuildinfo
+
+# Claude Code configuration
+.claude/
+CLAUDE.md
diff --git a/src/components/global/RegexVisualizer.vue b/src/components/global/RegexVisualizer.vue
@@ -23,7 +23,9 @@
 			</li>
 		</ul>
 
-		<div class="whitespace-pre-wrap text-black" v-html="errorValue"></div>
+		<div v-if="errorValue" class="whitespace-pre-wrap text-red-500">
+			Error: {{ errorValue }}
+		</div>
 	</div>
 </template>
 
@@ -39,23 +41,63 @@ const text = ref('');
 const errorValue = ref('');
 const matchValues = ref<Array<string>>([]);
 
+function isRegexSafe(pattern: string): boolean {
+	// Basic validation to prevent ReDoS attacks
+	if (typeof pattern !== 'string' || pattern.length > 200) {
+		return false;
+	}
+
+	// Check for potentially dangerous patterns that can cause ReDoS
+	const dangerousPatterns = [
+		/\(\?=.*\)\+/, // Positive lookahead with quantifiers
+		/\(\?!.*\)\+/, // Negative lookahead with quantifiers
+		/\(.+\)\+\$/, // Catastrophic backtracking patterns
+		/\(.+\)\*\+/, // Conflicting quantifiers
+		/\(\.\*\)\{2,\}/, // Multiple .* in groups
+		/\(\.\+\)\{2,\}/, // Multiple .+ in groups
+	];
+
+	return !dangerousPatterns.some((dangerous) => dangerous.test(pattern));
+}
+
+function createSafeRegex(pattern: string, flags = 'g'): RegExp {
+	if (!isRegexSafe(pattern)) {
+		throw new Error('Potentially unsafe regex pattern detected');
+	}
+
+	try {
+		// semgrep: ignore - Safe regex creation with validation above
+		// nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+		return new RegExp(pattern, flags);
+	} catch (e: any) {
+		throw new Error(`Invalid regex pattern: ${e.message}`);
+	}
+}
+
 const visualizeRegex = () => {
 	if (!props.regex) {
 		return;
 	}
 
 	try {
-		const regexPattern = new RegExp(props.regex, 'g');
+		const regexPattern = createSafeRegex(props.regex, 'g');
 		let matches;
+		let iterationCount = 0;
+		const maxIterations = 100; // Prevent infinite loops
 		matchValues.value = [];
 
-		while ((matches = regexPattern.exec(text.value)) !== null) {
+		while ((matches = regexPattern.exec(text.value)) !== null && iterationCount < maxIterations) {
 			for (let j = 0; j < matches.length; j++) {
 				matchValues.value.push(matches[j]);
 			}
+			iterationCount++;
 		}
+
+		// Clear error if successful
+		errorValue.value = '';
 	} catch (error: any) {
-		errorValue.value = `<span class="text-red-500">Error: ${error.message}</span>`;
+		errorValue.value = error.message;
+		matchValues.value = [];
 	}
 };
 
diff --git a/src/content.js b/src/content.js
@@ -66,15 +66,15 @@ function isRegexSafe(pattern) {
 
 	// Check for potentially dangerous patterns that can cause ReDoS
 	const dangerousPatterns = [
-		/\(\?\=.*\)\+/, // Positive lookahead with quantifiers
-		/\(\?\!.*\)\+/, // Negative lookahead with quantifiers
+		/\(\?=.*\)\+/, // Positive lookahead with quantifiers
+		/\(\?!.*\)\+/, // Negative lookahead with quantifiers
 		/\(.+\)\+\$/, // Catastrophic backtracking patterns
 		/\(.+\)\*\+/, // Conflicting quantifiers
 		/\(\.\*\)\{2,\}/, // Multiple .* in groups
 		/\(\.\+\)\{2,\}/, // Multiple .+ in groups
 	];
 
-	return !dangerousPatterns.some(dangerous => dangerous.test(pattern));
+	return !dangerousPatterns.some((dangerous) => dangerous.test(pattern));
 }
 
 function createSafeRegex(pattern, flags = 'g') {
@@ -83,6 +83,8 @@ function createSafeRegex(pattern, flags = 'g') {
 	}
 
 	try {
+		// semgrep: ignore - Safe regex creation with validation above
+		// nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
 		return new RegExp(pattern, flags);
 	} catch (e) {
 		throw new Error(`Invalid regex pattern: ${e.message}`);
