[backport jline-3.x] fix: guard regex matching against catastrophic backtracking (ReDoS)#2018
Conversation
Add SafeRegex utility that wraps regex input in a TimeoutCharSequence to enforce a wall-clock deadline during matching. Java's backtracking NFA engine can take exponential time on patterns with nested quantifiers (e.g. (a+)+b); the wrapper checks System.nanoTime() every 1024 charAt() calls and throws RegexTimeoutException if the deadline is exceeded. Fixed 8 locations where user-controlled input was matched as a regex without protection: - Less: search and display-filter matching - Nano: regex search mode - grep: removed unsafe .* wrapping, use find() instead of matches() - Commands (history -m): glob pattern now uses SafeRegex.compileGlob() - DefaultHistory (HISTORY_IGNORE): glob patterns properly quoted - LineReaderImpl: Ctrl-R/Ctrl-S search and history suggestion matching - AttributedString.styleMatches: search highlight rendering Addresses GHSA-r2xf-8xr9-62gw, GHSA-2v9w-34q6-wpqx, GHSA-ph9c-7hw9-vhhw, GHSA-5q95-hrpc-m3w3. Closes jline#2012
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
🤖 Augment PR SummarySummary: Backport of the jline-3.x security hardening for regex matching to mitigate catastrophic backtracking (ReDoS). Changes:
Technical Notes: The timeout is enforced via a wall-clock deadline checked periodically during 🤖 Was this summary useful? React with 👍 or 👎 |
| /** | ||
| * Compile a glob-style pattern into a {@link Pattern}. | ||
| * | ||
| * <p>Only {@code *} (match any string) and {@code \} (escape) are |
There was a problem hiding this comment.
SafeRegex.compileGlob(..., flags) documents that “every other character is regex-quoted so it matches literally”, but if callers pass Pattern.COMMENTS then unescaped whitespace and # won’t be treated literally (which can change glob semantics). Consider documenting that COMMENTS isn’t supported here (or ensuring literals remain literal under that flag).
Severity: low
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.



Backport of #2012
Cherry-pick of #2012 onto
jline-3.x.Original PR: #2012 - fix: guard regex matching against catastrophic backtracking (ReDoS)
Original author: @gnodet
Target branch:
jline-3.xOriginal description
Add SafeRegex utility that wraps regex input in a TimeoutCharSequence
to enforce a wall-clock deadline during matching. Java's backtracking
NFA engine can take exponential time on patterns with nested quantifiers
(e.g. (a+)+b); the wrapper checks System.nanoTime() every 1024 charAt()
calls and throws RegexTimeoutException if the deadline is exceeded.
Fixed 8 locations where user-controlled input was matched as a regex
without protection:
Addresses GHSA-r2xf-8xr9-62gw, GHSA-2v9w-34q6-wpqx,
GHSA-ph9c-7hw9-vhhw, GHSA-5q95-hrpc-m3w3.