Merge pull request #248 from Microsoft/dm/regexfix

darrelmiller · web-flow · commit ee0725f36c62 · 2018-05-04T12:27:06.000-04:00
Fix for regex to potentially prevent catastrophic backtracking
diff --git a/src/Microsoft.OpenApi/Validations/Rules/OpenApiResponsesRules.cs b/src/Microsoft.OpenApi/Validations/Rules/OpenApiResponsesRules.cs
@@ -28,7 +28,7 @@ public static class OpenApiResponsesRules
                 });
 
         /// <summary>
-        /// The response key must either be "default" or an HTTP status code (1xx, 2xx, 3xx, 4xx, 5xx)
+        /// The response key must either be "default" or an HTTP status code (1xx, 2xx, 3xx, 4xx, 5xx).
         /// </summary>
         public static ValidationRule<OpenApiResponses> ResponsesMustBeIdentifiedByDefaultOrStatusCode =>
             new ValidationRule<OpenApiResponses>(
@@ -38,7 +38,7 @@ public static class OpenApiResponsesRules
                     {
                         context.Enter(key);
 
-                        if (key != "default" && !Regex.IsMatch(key, "^[1-5]([0-9][0-9]|XX)$"))
+                        if (key != "default" && !Regex.IsMatch(key, "^[1-5](?>[0-9]{2}|XX)$"))
                         {
                             context.CreateError(nameof(ResponsesMustBeIdentifiedByDefaultOrStatusCode), 
                                     "Responses key must be 'default', an HTTP status code, " +
@@ -50,4 +50,4 @@ public static class OpenApiResponsesRules
                     }
                 });
     }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ public static class OpenApiResponsesRules`
`28`	`28`	`});`
`29`	`29`
`30`	`30`	`/// <summary>`
`31`		`- /// The response key must either be "default" or an HTTP status code (1xx, 2xx, 3xx, 4xx, 5xx)`
	`31`	`+ /// The response key must either be "default" or an HTTP status code (1xx, 2xx, 3xx, 4xx, 5xx).`
`32`	`32`	`/// </summary>`
`33`	`33`	`public static ValidationRule<OpenApiResponses> ResponsesMustBeIdentifiedByDefaultOrStatusCode =>`
`34`	`34`	`new ValidationRule<OpenApiResponses>(`
`@@ -38,7 +38,7 @@ public static class OpenApiResponsesRules`
`38`	`38`	`{`
`39`	`39`	`context.Enter(key);`
`40`	`40`
`41`		`- if (key != "default" && !Regex.IsMatch(key, "^[1-5]([0-9][0-9]\|XX)$"))`
	`41`	`+ if (key != "default" && !Regex.IsMatch(key, "^[1-5](?>[0-9]{2}\|XX)$"))`
`42`	`42`	`{`
`43`	`43`	`context.CreateError(nameof(ResponsesMustBeIdentifiedByDefaultOrStatusCode),`
`44`	`44`	`"Responses key must be 'default', an HTTP status code, " +`
`@@ -50,4 +50,4 @@ public static class OpenApiResponsesRules`
`50`	`50`	`}`
`51`	`51`	`});`
`52`	`52`	`}`
`53`		`-}`
	`53`	`+}`