Merge pull request #5613 from github/hmakholm/pr/fix-redos

Fix ReDOS in cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
2026-04-26 17:25:19 +02:00 · 2021-04-06 15:54:27 -07:00
parent 9a41c80626 2d615ef503
commit e22ec50dee
1 changed files with 1 additions and 1 deletions
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -93,7 +93,7 @@ class QuotedCommandInCreateProcessFunctionConfiguration extends DataFlow2::Confi

 bindingset[s]
 predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) {
-  s.regexpMatch("\"([^\"])*\"(\\s|.)*") // The first element (path) is quoted
+  s.regexpMatch("\"([^\"])*\"[\\s\\S]*") // The first element (path) is quoted
  or
  s.regexpMatch("[^\\s]+") // There are no spaces in the string
 }