fix: use replaceAll in processTemplate to prevent ReDoS vulnerabilities

LonoxX · LonoxX · commit 3a01248e0fab · 2026-01-16T09:18:35.000+01:00
diff --git a/src/util/templateUtils.ts b/src/util/templateUtils.ts
@@ -350,9 +350,9 @@ export function processTemplate(
 		replacements["{parent_issue_state}"] = "";
 	}
 
-	// Replace all variables
+	// Replace all variables (using replaceAll to avoid ReDoS vulnerabilities)
 	for (const [placeholder, value] of Object.entries(replacements)) {
-		result = result.replace(new RegExp(escapeRegExp(placeholder), "g"), value);
+		result = result.replaceAll(placeholder, value);
 	}
 
 	// Process dynamic project field access: {project_field:FieldName}
diff --git a/tsconfig.json b/tsconfig.json
@@ -11,7 +11,7 @@
 		"importHelpers": true,
 		"isolatedModules": true,
 		"strictNullChecks": true,
-		"lib": ["DOM", "ES5", "ES6", "ES7"]
+		"lib": ["DOM", "ES5", "ES6", "ES7", "ES2021"]
 	},
 	"include": ["**/*.ts"]
 }

Original file line number	Diff line number	Diff line change
`@@ -350,9 +350,9 @@ export function processTemplate(`
`350`	`350`	`replacements["{parent_issue_state}"] = "";`
`351`	`351`	`}`
`352`	`352`
`353`		`- // Replace all variables`
	`353`	`+ // Replace all variables (using replaceAll to avoid ReDoS vulnerabilities)`
`354`	`354`	`for (const [placeholder, value] of Object.entries(replacements)) {`
`355`		`- result = result.replace(new RegExp(escapeRegExp(placeholder), "g"), value);`
	`355`	`+ result = result.replaceAll(placeholder, value);`
`356`	`356`	`}`
`357`	`357`
`358`	`358`	`// Process dynamic project field access: {project_field:FieldName}`