Skip to content

Comments

Add regex caching and pattern validation to trim methods#7803

Draft
Copilot wants to merge 5 commits intomainfrom
copilot/sub-pr-7800
Draft

Add regex caching and pattern validation to trim methods#7803
Copilot wants to merge 5 commits intomainfrom
copilot/sub-pr-7800

Conversation

Copy link
Contributor

Copilot AI commented Jan 8, 2026
edited
Loading

Addresses security and performance issues in trim_start_pattern and trim_end_pattern where regex compilation occurs on every call with unbounded user input.

Changes

  • Pattern length validation: 100 char limit to mitigate ReDoS attacks
  • Global regex cache: OnceLock<Mutex<HashMap<String, Arc<Regex>>>> to avoid recompiling identical patterns
  • Arc wrapping: Share compiled regex state machines without clone overhead
  • Documentation: Security notes on remaining ReDoS risks from complex nested patterns

Implementation

// Before: recompiles on every call
match regex::Regex::new(&regex_pattern) {
    Ok(re) => { /* use re */ }
    Err(_) => s.trim_start(),
}

// After: cached and validated
if pattern.len() > MAX_PATTERN_LENGTH {
    return s.trim_start();
}
if let Some(re) = get_cached_regex(&regex_pattern) {
    // Arc::clone is cheap, re is shared
}

Cache is naturally bounded by pattern length limit and typical usage (primarily \s and [\r\n] patterns hit fast paths).

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Jan 8, 2026
Merged
@graphite-app graphite-app bot force-pushed the 01-08-feat_nativemagicstring_trim_methods branch from b8a63ac to e2835f4 Compare January 8, 2026 10:26
@IWANABETHATGUY
feat: add regex caching and pattern validation for trim methods
7430842 
- Add pattern length validation (max 100 chars) to prevent DoS attacks
- Implement regex caching using std::sync::OnceLock and parking_lot::Mutex
- Apply security fixes to trim_start_pattern and trim_end_pattern functions
- Add parking_lot dependency to string_wizard crate

Co-authored-by: IWANABETHATGUY <[email protected]>
Base automatically changed from 01-08-feat_nativemagicstring_trim_methods to main January 8, 2026 10:36
Copilot AI and others added 2 commits January 8, 2026 10:37
@IWANABETHATGUY
refactor: address code review feedback
554ea77 
- Eliminate unnecessary clone in get_cached_regex
- Add documentation about cache size bounds
- Add security notes about ReDoS risks in function docs

Co-authored-by: IWANABETHATGUY <[email protected]>
@IWANABETHATGUY
perf: use Arc to share regex without cloning overhead
b024c6a 
Replace direct Regex clones with Arc<Regex> to avoid expensive
cloning of compiled state machines. Arc::clone only increments
a reference count, avoiding the need to clone the compiled regex.

Co-authored-by: IWANABETHATGUY <[email protected]>
Copilot AI changed the title [WIP] Update nativeMagicString trim methods based on feedback Add regex caching and pattern validation to trim methods Jan 8, 2026
Copilot AI requested a review from IWANABETHATGUY January 8, 2026 10:40
@netlify
Copy link

netlify bot commented Jan 8, 2026

Deploy Preview for rolldown-rs ready!

Name Link
🔨 Latest commit 554ea77
🔍 Latest deploy log https://app.netlify.com/projects/rolldown-rs/deploys/695f88e949d5ff0008511d3d
😎 Deploy Preview https://deploy-preview-7803--rolldown-rs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Jan 8, 2026

Deploy Preview for rolldown-rs canceled.

Name Link
🔨 Latest commit b024c6a
🔍 Latest deploy log https://app.netlify.com/projects/rolldown-rs/deploys/695f8948616bd600080a3949

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IWANABETHATGUY IWANABETHATGUY Awaiting requested review from IWANABETHATGUY

At least 1 approving review is required to merge this pull request.

Assignees

@IWANABETHATGUY IWANABETHATGUY

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IWANABETHATGUY