fix(extension): make isValidClassName regex non-backtracking

jbachorik · claude · jbachorik · commit dbd39645e593 · 2026-04-11T20:25:00.000+02:00
The class-name validation pattern in EmbeddedExtensionRepository used ambiguous quantifiers where the inner character class allowed '$' and the outer group matched '$'-prefixed segments. On input like 'A$A$A$A' with a trailing mismatch, the engine explored exponentially many partitions (CodeQL js/redos, alert #15). Switch the three repetitions to possessive quantifiers (`*+`) so each commit step is final. Semantics are preserved for all accepted and rejected class names (verified against SecurityValidationTest). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/btrace-extension/src/main/java/org/openjdk/btrace/extension/impl/EmbeddedExtensionRepository.java b/btrace-extension/src/main/java/org/openjdk/btrace/extension/impl/EmbeddedExtensionRepository.java
@@ -281,7 +281,8 @@ static boolean isValidClassName(String className) {
     }
     // Basic validation: must be a valid Java identifier pattern
     // Allows: package.Class, package.Class$Inner
-    return className.matches("^[a-zA-Z_][a-zA-Z0-9_]*(\\.[a-zA-Z_][a-zA-Z0-9_$]*)*(\\$[a-zA-Z_][a-zA-Z0-9_$]*)*$");
+    return className.matches(
+        "^[a-zA-Z_][a-zA-Z0-9_]*+(\\.[a-zA-Z_][a-zA-Z0-9_$]*+)*+(\\$[a-zA-Z_][a-zA-Z0-9_$]*+)*+$");
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -281,7 +281,8 @@ static boolean isValidClassName(String className) {`
`281`	`281`	`}`
`282`	`282`	`// Basic validation: must be a valid Java identifier pattern`
`283`	`283`	`// Allows: package.Class, package.Class$Inner`
`284`		`- return className.matches("^[a-zA-Z_][a-zA-Z0-9_](\\.[a-zA-Z_][a-zA-Z0-9_$])(\\$[a-zA-Z_][a-zA-Z0-9_$])*$");`
	`284`	`+ return className.matches(`
	`285`	`+ "^[a-zA-Z_][a-zA-Z0-9_]+(\\.[a-zA-Z_][a-zA-Z0-9_$]+)+(\\$[a-zA-Z_][a-zA-Z0-9_$]+)*+$");`
`285`	`286`	`}`
`286`	`287`
`287`	`288`	`/**`