Skip to content

Commit 59a0e3c

Browse files
os-zhuangclaude
andcommitted
harden api-key scheme regexes against polynomial backtracking
CodeQL flagged `^(ApiKey|Bearer)\s+(.+)$` as polynomial-ReDoS: `\s+` and `.+` both match whitespace, so an all-whitespace tail backtracks O(n²). Anchor the capture to a non-whitespace first char (`\s+(\S.*)`) — linear, same behaviour for every valid header. Clears the pre-existing ApiKey alert too. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 1f18569 commit 59a0e3c

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

packages/core/src/security/api-key.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,10 +84,10 @@ export function extractApiKey(headers: any): string | undefined {
8484
if (x && x.trim()) return x.trim();
8585
const auth = readHeader(headers, 'authorization');
8686
if (!auth) return undefined;
87-
const apiKeyScheme = auth.match(/^ApiKey\s+(.+)$/i);
87+
const apiKeyScheme = auth.match(/^ApiKey\s+(\S.*)$/i);
8888
if (apiKeyScheme?.[1]?.trim()) return apiKeyScheme[1].trim();
8989
// Bearer is accepted only for prefixed api-keys (never for session tokens).
90-
const bearer = auth.match(/^Bearer\s+(.+)$/i)?.[1]?.trim();
90+
const bearer = auth.match(/^Bearer\s+(\S.*)$/i)?.[1]?.trim();
9191
if (bearer && bearer.startsWith(API_KEY_PREFIX)) return bearer;
9292
return undefined;
9393
}

0 commit comments

Comments
 (0)