Merge pull request #292 from github/regexp_slash_az

Don't parse `\A` and `\Z` as `RegExpConstant`
2026-04-24 00:05:14 +02:00 · 2021-09-17 16:42:13 +01:00
parent 1fd91ab9bd ebf23d00d1
commit 3d23575a38
4 changed files with 24 additions and 17 deletions
--- a/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb
+++ b/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb
@@ -33,7 +33,10 @@ class FooController < ActionController::Base

    # GOOD - guarded by a string length check
    if name.length < 1024
-	name.gsub regex, ''
+      name.gsub regex, ''
    end
+
+    # GOOD - regex does not suffer from polynomial backtracking (regression test)
+    params[:foo] =~ /\A[bc].*\Z/
  end
-end
+end