Closed marekdedic closed 3 years ago
I don't think the failing CI has anything to do with the PR - let me know if it does.
Hey, any progress on this? This is a blocking issue for me...
Thanks a lot, Marek
@marekdedic, apologies for the late reply. Could you provide some tests and changelog entry for this?
Hi, thanks for the reply anyway :slightly_smiling_face:
I've added a changelog entry, however, I'm a bit stuck with the tests, see #126.
@marekdedic I had a look at the example you provided and after adding ?
as you suggest, I am only getting a match on .
:
https://regex101.com/r/MlbAhW/1 vs https://regex101.com/r/MlbAhW/2
I don't think this is correct?
Hmm, it's not correct. I don't really know how to fix it though, as I am not really sure what the mathOutsideOfBrackets
function does...
To be honest, I don't know either. I have not written this package and I am only maintaining it. Approving PR and releasing the new versions. The only person who knows is @anandthakker, but he is not responsive :(
Hi,
I looked over it once more and it seems to me that the function matchOutsideOfBrackets(X)
checks whether there is the characterX
somewhere not inside []
or ()
. So the match on .
would actually be correct. And expanding the regex constructed by mathcOutsideOfBrackets
, the non-greedy approach doesn't change the meaning.
So I do actually think this PR is correct, however there is one more thing... We can actually undo #88 with this change and simplify it!
(and undoing #88 would allow for testing for catastrophic regexes...)
Hi, the PR is now working and with tests for unsafe regexes (not limited to the one in #95)
Hmm, so the tests wouldn't catch #95. I've tried switching safe-regex for vuln-regex-detector but that seems to be abandoned... So at least an imperfect test...
And thank you for putting effort into this! :)
Hold your horses. I think I've found some more performance issues with this function. Going to go for a different solution to solve it once and for all.
Hi, I've reworked it to not use such a horrendous regex but a simpler function instead. Unit tests pass, tried it on 2 of my projects, same output, no performance issues. I think you can merge this now.
Let's give it a try and release it as next major version :)
Fixes #95