imp(resolvers): check that regexps are safe before saving

e11sy · e11sy · commit 49c4c19b2d25 · 2025-03-17T01:01:31.000+03:00
diff --git a/package.json b/package.json
@@ -49,6 +49,7 @@
     "@types/node": "^16.11.46",
     "@types/node-fetch": "^2.5.4",
     "@types/uuid": "^8.3.4",
+    "@types/safe-regex": "^1.1.6",
     "amqp-connection-manager": "^3.1.0",
     "amqplib": "^0.5.5",
     "apollo-server-express": "^3.10.0",
@@ -73,6 +74,7 @@
     "mime-types": "^2.1.25",
     "mongodb": "^3.7.3",
     "ts-node-dev": "^2.0.0",
-    "uuid": "^8.3.2"
+    "uuid": "^8.3.2",
+    "safe-regex": "^2.1.0"
   }
 }
diff --git a/src/resolvers/projectPatterns.ts b/src/resolvers/projectPatterns.ts
@@ -1,6 +1,7 @@
 import { ResolverContextWithUser } from '../types/graphql';
 import { ApolloError } from 'apollo-server-express';
 import { ProjectEventGroupingPatternsDBScheme } from '@hawk.so/types';
+import { isSafeRegex } from 'safe-regex';
 
 /**
  * Type that represents payload for create project pattern mutation
@@ -68,6 +69,14 @@ function validateNewEventGroupingPattern(
   try {
     /* eslint-disable-next-line no-new */
     new RegExp(newEventGroupingPattern);
+
+    /**
+     * Check if pattern is safe RegExp
+     */
+    if (!isSafeRegex(newEventGroupingPattern)) {
+      throw new ApolloError('Invalid regular expression pattern');
+    }
+
   } catch (error) {
     throw new ApolloError('Invalid regular expression pattern');
   }
diff --git a/yarn.lock b/yarn.lock
@@ -1176,6 +1176,11 @@
   resolved "https://registry.yarnpkg.com/@types/range-parser/-/range-parser-1.2.4.tgz#cd667bcfdd025213aafb7ca5915a932590acdcdc"
   integrity sha512-EEhsLsD6UsDM1yFhAvy0Cjr6VwmpMWqFBCb9w07wVugF7w9nfajxLuVmngTIpgS6svCnm6Vaw+MZhoDCKnOfsw==
 
+"@types/safe-regex@^1.1.6":
+  version "1.1.6"
+  resolved "https://registry.yarnpkg.com/@types/safe-regex/-/safe-regex-1.1.6.tgz#1f13a950b77869e19626ae2dcf79e12902b38c0b"
+  integrity sha512-CQ/uPB9fLOPKwDsrTeVbNIkwfUthTWOx0l6uIGwVFjZxv7e68pCW5gtTYFzdJi3EBJp8h8zYhJbTasAbX7gEMQ==
+
 "@types/serve-static@*":
   version "1.15.0"
   resolved "https://registry.yarnpkg.com/@types/serve-static/-/serve-static-1.15.0.tgz#c7930ff61afb334e121a9da780aac0d9b8f34155"
@@ -5632,6 +5637,11 @@ regex-not@^1.0.0, regex-not@^1.0.2:
     extend-shallow "^3.0.2"
     safe-regex "^1.1.0"
 
+regexp-tree@~0.1.1:
+  version "0.1.27"
+  resolved "https://registry.yarnpkg.com/regexp-tree/-/regexp-tree-0.1.27.tgz#2198f0ef54518ffa743fe74d983b56ffd631b6cd"
+  integrity sha512-iETxpjK6YoRWJG5o6hXLwvjYAoW+FEZn9os0PD/b6AP6xQwsa/Y7lCVgIixBbUPMfhu+i2LtdeAqVTgGlQarfA==
+
 regexp.prototype.flags@^1.4.3:
   version "1.4.3"
   resolved "https://registry.yarnpkg.com/regexp.prototype.flags/-/regexp.prototype.flags-1.4.3.tgz#87cab30f80f66660181a3bb7bf5981a872b367ac"
@@ -5803,6 +5813,13 @@ safe-regex@^1.1.0:
   dependencies:
     ret "~0.1.10"
 
+safe-regex@^2.1.0:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/safe-regex/-/safe-regex-2.1.1.tgz#f7128f00d056e2fe5c11e81a1324dd974aadced2"
+  integrity sha512-rx+x8AMzKb5Q5lQ95Zoi6ZbJqwCLkqi3XuJXp5P3rT8OEc6sZCJG5AE5dU3lsgRr/F4Bs31jSlVN+j5KrsGu9A==
+  dependencies:
+    regexp-tree "~0.1.1"
+
 "safer-buffer@>= 2.1.2 < 3":
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
