luciddr34m3r
commented
2 years ago Need to do input validation on the prefix field. Probably should just be restricted to characters that are valid for the grammar, which can be found in the CPE documentation.
A dep like Yup might be what we want to get this fixed.
Imported from upstream, reported by mkienow-r7.
prefix is controllable by the caller and could result in a regular expression denial of service (ReDoS).
_id: {$regex: new RegExp('^' + prefix, 'i')}_id: {$regex: new RegExp('^' + prefix, 'i')}