Skip to content

fix: resolve ReDoS vulnerability in casing convention rules#825

Merged
pyrooka merged 2 commits into
mainfrom
nb/fix-redos
Jul 3, 2026
Merged

fix: resolve ReDoS vulnerability in casing convention rules#825
pyrooka merged 2 commits into
mainfrom
nb/fix-redos

Conversation

@pyrooka

@pyrooka pyrooka commented Jul 3, 2026

Copy link
Copy Markdown
Member

PR summary

Fixed catastrophic backtracking in regex patterns for:

  • schema-casing-convention: Changed from overlapping quantifiers to possessive pattern
  • parameter-casing-convention: Added mandatory hyphen separators to prevent overlap

The vulnerable patterns [A-Z]+...([A-Z]+...)* caused exponential time complexity with crafted inputs. New patterns execute in linear time while maintaining the same validation logic.

Test results:

  • All 1,362 existing tests pass
  • ReDoS attack patterns now complete in <1ms (previously >10s)
  • Standard headers and schema names still validated correctly

PR Checklist

General checklist

Please make sure that your PR fulfills the following requirements:

  • The commit message follows the Angular Commit Message Guidelines.
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)
  • Dependencies have been updated as needed
  • .secrets.baseline has been updated as needed
  • npm run update-utilities has been run if any files in packages/utilities/src have been updated

Checklist for adding a new validation rule:

  • Added new validation rule definition (packages/ruleset/src/rules/*.js, index.js)
  • If necessary, added new validation rule implementation (packages/ruleset/src/functions/*.js, updated index.js)
  • Added new rule to default configuration (packages/ruleset/src/ibm-oas.js)
  • Added tests for new rule (packages/ruleset/test/*.test.js)
  • Added docs for new rule (docs/ibm-cloud-rules.md)
  • Added scoring rubric entry for new rule (packages/validator/src/scoring-tool/rubric.js)

Fixed catastrophic backtracking in regex patterns for:
- schema-casing-convention: Changed from overlapping quantifiers to possessive pattern
- parameter-casing-convention: Added mandatory hyphen separators to prevent overlap

The vulnerable patterns [A-Z]+...([A-Z]+...)* caused exponential time complexity
with crafted inputs. New patterns execute in linear time while maintaining the
same validation logic.

Test results:
- All 1,362 existing tests pass
- ReDoS attack patterns now complete in <1ms (previously >10s)
- Standard headers and schema names still validated correctly

Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka pyrooka requested review from Andris28 and diatrcz July 3, 2026 09:20

@diatrcz diatrcz left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good!

@pyrooka pyrooka merged commit 30d9a51 into main Jul 3, 2026
9 checks passed
@pyrooka pyrooka deleted the nb/fix-redos branch July 3, 2026 09:51
ibm-devx-sdk pushed a commit that referenced this pull request Jul 3, 2026
## @ibm-cloud/openapi-ruleset [1.33.11](https://github.com/IBM/openapi-validator/compare/@ibm-cloud/openapi-ruleset@1.33.10...@ibm-cloud/openapi-ruleset@1.33.11) (2026-07-03)

### Bug Fixes

* resolve ReDoS vulnerability in casing convention rules ([#825](#825)) ([30d9a51](30d9a51))
@ibm-devx-sdk

Copy link
Copy Markdown

🎉 This PR is included in version 1.33.11 🎉

The release is available on npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

@ibm-devx-sdk

Copy link
Copy Markdown

🎉 This PR is included in version 1.37.15 🎉

The release is available on npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants