fix: bound regex quantifiers in _PY_IMPORT_RE to prevent ReDoS

nikolay-e · nikolay-e · commit 864ff701c986 · 2026-02-08T15:57:19.000+01:00
diff --git a/src/treemapper/diffctx/edges/semantic/python.py b/src/treemapper/diffctx/edges/semantic/python.py
@@ -14,7 +14,7 @@
 _SYMBOL_REF_WEIGHT = 0.95
 _TYPE_REF_WEIGHT = 0.60
 
-_PY_IMPORT_RE = re.compile(r"(?:from\s+(\.{0,3}[\w.]{0,200})\s+import|import\s+([\w.]{1,200}))")
+_PY_IMPORT_RE = re.compile(r"(?:from\s{1,20}(\.{0,3}[\w.]{0,200})\s{1,20}import|import\s{1,20}([\w.]{1,200}))")
 
 
 def _is_python_file(path: Path) -> bool:
