Potential fix for code scanning alert no. 23: Overly permissive regular expression range#6131
Merged
Potential fix for code scanning alert no. 23: Overly permissive regular expression range#6131
Conversation
…ar expression range Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #6131 +/- ##
=============================================
- Coverage 50.00% 49.97% -0.04%
Complexity 7481 7481
=============================================
Files 722 722
Lines 24100 24100
=============================================
- Hits 12051 12043 -8
- Misses 12049 12057 +8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…ter class' Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/Catrobat/Catroweb/security/code-scanning/23
In general, to fix overly permissive character ranges, ensure that any
-inside a character class either denotes a deliberate range (likeA-Z) or is escaped or moved to an edge position so it’s treated as a literal hyphen. Also avoid mixed upper/lowercase ranges likeA-fwhich unintentionally span more characters than expected.Here, the suspicious part is
[\w?=&./+-;#~%-]+. The+-;segment forms an unintended range from+to;. The simplest fix that preserves existing functionality is to treat-as a literal by escaping it. Changing+-;to+\-;(i.e.,.../+\-;#...) makes-a literal hyphen while keeping+and;as separate allowed characters. No other changes to the pattern are necessary for this specific CodeQL issue. Concretely, inassets/Project/Project.js, withincreateLinks()on line 38, update the regex from/((http|https|ftp):\/\/[\w?=&./+-;#~%-]+(?![\w\s?&./;#~%"=-]*>))/gto/((http|https|ftp):\/\/[\w?=&./+\-;#~%-]+(?![\w\s?&./;#~%"=-]*>))/g. This does not change surrounding code or imports.Suggested fixes powered by Copilot Autofix. Review carefully before merging.