fix: address remaining regex DoS security hotspots

Author: nikolay-e

src/treemapper/diffctx/edges/config/build.py

@@ -9,20 +9,21 @@
 _MAKEFILE_NAMES = {"makefile", "gnumakefile"}
 _MAKEFILE_EXTS = {".mk", ".mak", ".make"}
 
-_MAKE_TARGET_RE = re.compile(r"^([a-zA-Z_][a-zA-Z0-9_.-]*)\s*:(?!=)", re.MULTILINE)
-_MAKE_INCLUDE_RE = re.compile(r"^(?:-)?include\s+([^\n]+)$", re.MULTILINE)
-_MAKE_VAR_RE = re.compile(r"^\s*([A-Z_][A-Z0-9_]*)\s*[:?]?=", re.MULTILINE)
-_MAKE_RECIPE_RE = re.compile(r"^\t(.+)$", re.MULTILINE)
+_MAKE_TARGET_RE = re.compile(r"^([a-zA-Z_][a-zA-Z0-9_.-]{0,100})\s{0,20}:(?!=)", re.MULTILINE)
+_MAKE_INCLUDE_RE = re.compile(r"^(?:-)?include\s+([^\n]{1,500})$", re.MULTILINE)
+_MAKE_VAR_RE = re.compile(r"^\s{0,20}([A-Z_][A-Z0-9_]{0,100})\s{0,20}[:?]?=", re.MULTILINE)
+_MAKE_RECIPE_RE = re.compile(r"^\t([^\n]{1,1000})$", re.MULTILINE)
 
-_CMAKE_ADD_EXE_RE = re.compile(r"add_executable\s*\(\s*(\w+)", re.IGNORECASE)
-_CMAKE_ADD_LIB_RE = re.compile(r"add_library\s*\(\s*(\w+)", re.IGNORECASE)
+_CMAKE_ADD_EXE_RE = re.compile(r"add_executable\s{0,10}\(\s{0,10}(\w{1,100})", re.IGNORECASE)
+_CMAKE_ADD_LIB_RE = re.compile(r"add_library\s{0,10}\(\s{0,10}(\w{1,100})", re.IGNORECASE)
 _CMAKE_TARGET_LINK_RE = re.compile(
-    r"target_link_libraries\s*\(\s*(\w+)\s+(?:PUBLIC|PRIVATE|INTERFACE)?\s*([^)]+)\)", re.IGNORECASE
+    r"target_link_libraries\s{0,10}\(\s{0,10}(\w{1,100})\s{1,20}(?:PUBLIC|PRIVATE|INTERFACE)?\s{0,10}([^)]{1,500})\)",
+    re.IGNORECASE,
 )
-_CMAKE_INCLUDE_RE = re.compile(r"include\s*\(\s*([^)]+)\)", re.IGNORECASE)
-_CMAKE_ADD_SUBDIR_RE = re.compile(r"add_subdirectory\s*\(\s*([^\)\s]+)", re.IGNORECASE)
-_CMAKE_FIND_PKG_RE = re.compile(r"find_package\s*\(\s*(\w+)", re.IGNORECASE)
-_CMAKE_SET_RE = re.compile(r"set\s*\(\s*([A-Z_][A-Z0-9_]*)", re.IGNORECASE)
+_CMAKE_INCLUDE_RE = re.compile(r"include\s{0,10}\(\s{0,10}([^)]{1,300})\)", re.IGNORECASE)
+_CMAKE_ADD_SUBDIR_RE = re.compile(r"add_subdirectory\s{0,10}\(\s{0,10}([^\)\s]{1,200})", re.IGNORECASE)
+_CMAKE_FIND_PKG_RE = re.compile(r"find_package\s{0,10}\(\s{0,10}(\w{1,100})", re.IGNORECASE)
+_CMAKE_SET_RE = re.compile(r"set\s{0,10}\(\s{0,10}([A-Z_][A-Z0-9_]{0,100})", re.IGNORECASE)
 
 _SCRIPT_CALL_RE = re.compile(r"(?:bash|sh|python|python3|\.\/scripts\/|\.\/bin\/)([a-zA-Z0-9_.-]+)")
 _SOURCE_FILE_RE = re.compile(r"\b([a-zA-Z_]\w*\.(?:c|cpp|cc|cxx|h|hpp|hxx|py|sh|go|rs|java))\b")

src/treemapper/diffctx/edges/config/cicd.py

@@ -6,10 +6,14 @@
 from ...types import Fragment, FragmentId
 from ..base import EdgeBuilder, EdgeDict, FragmentIndex, discover_files_by_refs
 
-_GHA_RUN_RE = re.compile(r"^\s*-?\s*run:\s*[|>]?\s*([^\n]+)", re.MULTILINE)
-
-_GITLAB_SCRIPT_RE = re.compile(r"^\s*(?:script|before_script|after_script):\s*\n((?:\s+-\s*.+\n)+)", re.MULTILINE)
-_GITLAB_INCLUDE_RE = re.compile(r"^\s*-?\s*(?:local|project|remote|template):\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
+_GHA_RUN_RE = re.compile(r"^\s{0,20}-?\s{0,5}run:\s{0,5}[|>]?\s{0,5}([^\n]{1,500})", re.MULTILINE)
+
+_GITLAB_SCRIPT_RE = re.compile(
+    r"^\s{0,20}(?:script|before_script|after_script):\s?\n((?:\s{1,20}-\s{0,5}[^\n]{1,500}\n){1,100})", re.MULTILINE
+)
+_GITLAB_INCLUDE_RE = re.compile(
+    r"^\s{0,20}-?\s{0,5}(?:local|project|remote|template):\s{0,5}['\"]?([^'\"#\n]{1,300})", re.MULTILINE
+)
 
 _JENKINS_SH_RE = re.compile(r"sh\s*(?:\(['\"]|['\"])(.+?)['\"]\)?", re.MULTILINE | re.DOTALL)
 _JENKINS_SCRIPT_RE = re.compile(r"script\s*\{([^}]+)\}", re.MULTILINE | re.DOTALL)

src/treemapper/diffctx/edges/config/kubernetes.py

@@ -7,29 +7,31 @@
 from ...types import Fragment, FragmentId
 from ..base import EdgeBuilder, EdgeDict
 
-_K8S_API_VERSION_RE = re.compile(r"^apiVersion:\s*([^\s#]+)", re.MULTILINE)
-_K8S_KIND_RE = re.compile(r"^kind:\s*(\w+)", re.MULTILINE)
-_K8S_NAME_RE = re.compile(r"^\s+name:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-_K8S_NAMESPACE_RE = re.compile(r"^\s+namespace:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-
-_CONFIGMAP_REF_RE = re.compile(r"configMapKeyRef:\s*\n\s+name:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-_CONFIGMAP_NAME_RE = re.compile(r"configMapName:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-_SECRET_REF_RE = re.compile(r"secretKeyRef:\s*\n\s+name:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-_SECRET_NAME_RE = re.compile(r"secretName:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-
-_SERVICE_NAME_RE = re.compile(r"serviceName:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-_BACKEND_SERVICE_RE = re.compile(r"service:\s*\n\s+name:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-
-_IMAGE_RE = re.compile(r"^\s+image:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-
-_SELECTOR_MATCH_LABELS_RE = re.compile(r"selector:\s*\n\s+matchLabels:\s*\n((?:\s+[a-zA-Z0-9_./-]+:\s*[^\n:]+\n)+)", re.MULTILINE)
-_LABELS_RE = re.compile(r"labels:\s*\n((?:\s+[a-zA-Z0-9_./-]+:\s*[^\n:]+\n)+)", re.MULTILINE)
-_LABEL_PAIR_RE = re.compile(r"^\s*([a-zA-Z0-9_./-]+):\s*['\"]?([a-zA-Z0-9_./-]+)['\"]?\s*$", re.MULTILINE)
-_SIMPLE_SELECTOR_RE = re.compile(r"selector:\s*\n((?:\s+[a-zA-Z0-9_./-]+:\s*[^\n:]+\n)+)", re.MULTILINE)
-
-_VOLUME_CONFIGMAP_RE = re.compile(r"configMap:\s*\n\s+name:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-_VOLUME_SECRET_RE = re.compile(r"secret:\s*\n\s+secretName:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
-_VOLUME_PVC_RE = re.compile(r"persistentVolumeClaim:\s*\n\s+claimName:\s*['\"]?([^'\"#\n]+)", re.MULTILINE)
+_K8S_API_VERSION_RE = re.compile(r"^apiVersion:\s?([^\s#]{1,100})", re.MULTILINE)
+_K8S_KIND_RE = re.compile(r"^kind:\s?(\w{1,100})", re.MULTILINE)
+_K8S_NAME_RE = re.compile(r"^\s{1,20}name:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+_K8S_NAMESPACE_RE = re.compile(r"^\s{1,20}namespace:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+
+_CONFIGMAP_REF_RE = re.compile(r"configMapKeyRef:\s?\n\s{1,20}name:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+_CONFIGMAP_NAME_RE = re.compile(r"configMapName:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+_SECRET_REF_RE = re.compile(r"secretKeyRef:\s?\n\s{1,20}name:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+_SECRET_NAME_RE = re.compile(r"secretName:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+
+_SERVICE_NAME_RE = re.compile(r"serviceName:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+_BACKEND_SERVICE_RE = re.compile(r"service:\s?\n\s{1,20}name:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+
+_IMAGE_RE = re.compile(r"^\s{1,20}image:\s?['\"]?([^'\"#\n]{1,300})", re.MULTILINE)
+
+_SELECTOR_MATCH_LABELS_RE = re.compile(
+    r"selector:\s?\n\s{1,20}matchLabels:\s?\n((?:\s{1,20}[a-zA-Z0-9_./-]{1,100}:\s?[^\n:]{1,200}\n){1,50})", re.MULTILINE
+)
+_LABELS_RE = re.compile(r"labels:\s?\n((?:\s{1,20}[a-zA-Z0-9_./-]{1,100}:\s?[^\n:]{1,200}\n){1,50})", re.MULTILINE)
+_LABEL_PAIR_RE = re.compile(r"^\s{0,20}([a-zA-Z0-9_./-]{1,100}):\s?['\"]?([a-zA-Z0-9_./-]{1,100})['\"]?\s{0,10}$", re.MULTILINE)
+_SIMPLE_SELECTOR_RE = re.compile(r"selector:\s?\n((?:\s{1,20}[a-zA-Z0-9_./-]{1,100}:\s?[^\n:]{1,200}\n){1,50})", re.MULTILINE)
+
+_VOLUME_CONFIGMAP_RE = re.compile(r"configMap:\s?\n\s{1,20}name:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+_VOLUME_SECRET_RE = re.compile(r"secret:\s?\n\s{1,20}secretName:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
+_VOLUME_PVC_RE = re.compile(r"persistentVolumeClaim:\s?\n\s{1,20}claimName:\s?['\"]?([^'\"#\n]{1,200})", re.MULTILINE)
 
 _YAML_EXTS = {".yaml", ".yml"}