security: close 2 new CodeQL alerts (ReDoS + HTTP response splitting)

py/polynomial-redos (wiki_export.py:142)
  The frontmatter key:value matcher
    r"^([A-Za-z_][\w-]*)\s*:\s*(.*)$"
  has two repetition steps whose ranges overlap on adversarial
  input like "A:" followed by N tabs, producing O(n²) backtracking.

  Replaced with str.partition(":") + a tight bounded key validator
  r"^[A-Za-z_][\w-]{0,62}$". No quantifier overlap, no backtracking
  hazard. 100 000-tab input now processes in sub-millisecond time.
  Added a 1000-char per-line sanity cap as defence in depth.

py/http-response-splitting (http_viz_server.py:352 + http_standalone mirror)
  The Content-Disposition filename was built by literal f-string
  interpolation of a user-controlled path component. CRLF in the
  filename would enable header injection (Set-Cookie, cache
  poisoning, etc.).

  Sanitized to [A-Za-z0-9._-] only (re.sub r"[^\w.-]", "_") and
  capped at 200 chars before the header. The format suffix gets the
  same treatment (guard on our own constant map, but belt-and-braces
  against future changes).

Author: cdeust

mcp_server/handlers/wiki_export.py

@@ -118,6 +118,16 @@ def _read_body(wiki_root: Path, rel_path: str | None, body: str | None) -> str:
     return content
 
 
+# Tight key validator — anchored, bounded length, no backtracking.
+# Replaces an earlier full-line regex that CodeQL flagged as
+# polynomial-redos (py/polynomial-redos): `\s*` + `.*$` combined on
+# an unbounded user-provided line could backtrack quadratically on
+# adversarial inputs such as "A:\t\t\t…". Using str.partition() for
+# the split eliminates the overlapping quantifiers entirely.
+_FM_KEY_RE = re.compile(r"^[A-Za-z_][\w-]{0,62}$")
+_FM_MAX_LINE = 1000  # sanity cap — valid frontmatter keys never approach this
+
+
 def _split_frontmatter(markdown: str) -> tuple[dict, str]:
     """Parse a best-effort frontmatter block out of ``markdown``.
 
@@ -137,16 +147,17 @@ def _split_frontmatter(markdown: str) -> tuple[dict, str]:
     body = markdown[end + 4 :].lstrip("\n")
     fields: dict[str, str] = {}
     for line in raw.splitlines():
-        # Match `key: value` with value running to end-of-line; values
-        # can contain any character including further colons.
-        m = re.match(r"^([A-Za-z_][\w-]*)\s*:\s*(.*)$", line)
-        if not m:
+        if len(line) > _FM_MAX_LINE or ":" not in line:
+            continue
+        key, _, value = line.partition(":")
+        key = key.strip()
+        value = value.strip()
+        if not _FM_KEY_RE.match(key):
             continue
-        k, v = m.group(1), m.group(2).strip()
         # Strip surrounding quotes if present; otherwise keep as-is.
-        if len(v) >= 2 and v[0] == v[-1] and v[0] in ("'", '"'):
-            v = v[1:-1]
-        fields[k] = v
+        if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'):
+            value = value[1:-1]
+        fields[key] = value
     return fields, body
 
 

mcp_server/server/http_standalone.py

@@ -446,12 +446,19 @@ def _serve_wiki_export(self):
                     self.wfile.write(body)
                     return
                 data = base64.b64decode(result["content_base64"])
-                filename = (rel_path.split("/")[-1] or "page").rsplit(".", 1)[0]
+                # Sanitize — rel_path is user-controlled, mustn't
+                # carry \r\n into the response header (CodeQL
+                # py/http-response-splitting).
+                import re as _re_safe
+
+                raw_name = (rel_path.split("/")[-1] or "page").rsplit(".", 1)[0]
+                filename = _re_safe.sub(r"[^\w.-]", "_", raw_name)[:200] or "page"
+                fmt_out = _re_safe.sub(r"[^\w]", "", result["format"])[:16]
                 self.send_response(200)
                 self.send_header("Content-Type", result["mime"])
                 self.send_header(
                     "Content-Disposition",
-                    f'attachment; filename="{filename}.{result["format"]}"',
+                    f'attachment; filename="{filename}.{fmt_out}"',
                 )
                 self.send_header("Content-Length", str(len(data)))
                 self.send_header("Access-Control-Allow-Origin", "*")

mcp_server/server/http_viz_server.py

@@ -344,12 +344,20 @@ def _serve_wiki_export(self):
                     send_json_response(self, result)
                     return
                 data = base64.b64decode(result["content_base64"])
-                filename = (rel_path.split("/")[-1] or "page").rsplit(".", 1)[0]
+                # Sanitize filename before it flows into the
+                # Content-Disposition header — rel_path is user-
+                # controlled via the ?path= query string. CodeQL
+                # py/http-response-splitting: any \r\n in the value
+                # would allow header injection. Allow only safe
+                # filesystem chars and cap length.
+                raw_name = (rel_path.split("/")[-1] or "page").rsplit(".", 1)[0]
+                filename = re.sub(r"[^\w.-]", "_", raw_name)[:200] or "page"
+                fmt_out = re.sub(r"[^\w]", "", result["format"])[:16]
                 self.send_response(200)
                 self.send_header("Content-Type", result["mime"])
                 self.send_header(
                     "Content-Disposition",
-                    f'attachment; filename="{filename}.{result["format"]}"',
+                    f'attachment; filename="{filename}.{fmt_out}"',
                 )
                 self.send_header("Content-Length", str(len(data)))
                 self.send_header("Access-Control-Allow-Origin", "*")