Security fix: Escape regex characters and remove dead code

Copilot · hotlong · Copilot · commit e5cf85ed3e39 · 2026-01-23T16:08:25.000Z
- Add escapeRegex() helper to prevent ReDoS attacks
- Escape special regex characters in contains/startswith/endswith operators
- Remove unused buildSortObject() method (manual sort is used instead)
- Prevent regex injection vulnerabilities in query filters

Co-authored-by: hotlong &lt;50353452+hotlong@users.noreply.github.com&gt;
diff --git a/packages/drivers/memory/MINGO_INTEGRATION.md b/packages/drivers/memory/MINGO_INTEGRATION.md
@@ -0,0 +1,116 @@
+/**
+ * Demonstration of Mingo Integration in Memory Driver
+ * 
+ * This file shows how ObjectQL filters are converted to MongoDB queries
+ * and processed by Mingo for in-memory data.
+ */
+
+// Example filter conversions:
+
+/**
+ * Example 1: Simple Equality
+ * 
+ * ObjectQL Filter:
+ * [['role', '=', 'admin']]
+ * 
+ * Converts to MongoDB Query:
+ * { role: 'admin' }
+ */
+
+/**
+ * Example 2: Comparison Operators
+ * 
+ * ObjectQL Filter:
+ * [['age', '>', 30]]
+ * 
+ * Converts to MongoDB Query:
+ * { age: { $gt: 30 } }
+ */
+
+/**
+ * Example 3: OR Logic
+ * 
+ * ObjectQL Filter:
+ * [
+ *   ['role', '=', 'admin'],
+ *   'or',
+ *   ['age', '>', 30]
+ * ]
+ * 
+ * Converts to MongoDB Query:
+ * {
+ *   $or: [
+ *     { role: 'admin' },
+ *     { age: { $gt: 30 } }
+ *   ]
+ * }
+ */
+
+/**
+ * Example 4: AND Logic (Multiple Conditions)
+ * 
+ * ObjectQL Filter:
+ * [
+ *   ['status', '=', 'active'],
+ *   'and',
+ *   ['role', '=', 'user']
+ * ]
+ * 
+ * Converts to MongoDB Query:
+ * {
+ *   $and: [
+ *     { status: 'active' },
+ *     { role: 'user' }
+ *   ]
+ * }
+ */
+
+/**
+ * Example 5: String Contains (Case-Insensitive)
+ * 
+ * ObjectQL Filter:
+ * [['name', 'contains', 'john']]
+ * 
+ * Converts to MongoDB Query:
+ * { name: { $regex: /john/i } }
+ */
+
+/**
+ * Example 6: IN Operator
+ * 
+ * ObjectQL Filter:
+ * [['status', 'in', ['active', 'pending']]]
+ * 
+ * Converts to MongoDB Query:
+ * { status: { $in: ['active', 'pending'] } }
+ */
+
+/**
+ * Example 7: Between Range
+ * 
+ * ObjectQL Filter:
+ * [['age', 'between', [25, 35]]]
+ * 
+ * Converts to MongoDB Query:
+ * { age: { $gte: 25, $lte: 35 } }
+ */
+
+/**
+ * Implementation Details:
+ * 
+ * The MemoryDriver now uses:
+ * 
+ * 1. convertToMongoQuery(filters) - Converts ObjectQL filters to MongoDB query
+ * 2. new Query(mongoQuery) - Creates a Mingo query instance
+ * 3. query.find(records).all() - Executes query and returns matching records
+ * 
+ * This provides:
+ * - MongoDB-compatible query semantics
+ * - High performance in-memory queries
+ * - Rich operator support
+ * - Consistent behavior with MongoDB
+ * 
+ * All while maintaining 100% backward compatibility with existing ObjectQL code!
+ */
+
+console.log('Mingo Integration Demo - See comments in file for query conversion examples');
diff --git a/packages/drivers/memory/src/index.ts b/packages/drivers/memory/src/index.ts
@@ -618,15 +618,16 @@ export class MemoryDriver implements Driver {
             case 'contains':
             case 'like':
                 // MongoDB regex for case-insensitive contains
-                return { [field]: { $regex: new RegExp(value, 'i') } };
+                // Escape special regex characters to prevent ReDoS and ensure literal matching
+                return { [field]: { $regex: new RegExp(this.escapeRegex(value), 'i') } };
             
             case 'startswith':
             case 'starts_with':
-                return { [field]: { $regex: new RegExp(`^${value}`, 'i') } };
+                return { [field]: { $regex: new RegExp(`^${this.escapeRegex(value)}`, 'i') } };
             
             case 'endswith':
             case 'ends_with':
-                return { [field]: { $regex: new RegExp(`${value}$`, 'i') } };
+                return { [field]: { $regex: new RegExp(`${this.escapeRegex(value)}$`, 'i') } };
             
             case 'between':
                 if (Array.isArray(value) && value.length === 2) {
@@ -643,30 +644,11 @@ export class MemoryDriver implements Driver {
     }
 
     /**
-     * Build MongoDB sort object from ObjectQL sort array.
-     * Converts [['field', 'asc'], ['field2', 'desc']] to { field: 1, field2: -1 }
+     * Escape special regex characters to prevent ReDoS and ensure literal matching.
+     * This is crucial for security when using user input in regex patterns.
      */
-    private buildSortObject(sort: any[]): Record<string, any> {
-        const sortObj: Record<string, any> = {};
-        
-        for (const sortItem of sort) {
-            let field: string;
-            let direction: string;
-            
-            if (Array.isArray(sortItem)) {
-                [field, direction] = sortItem;
-            } else if (typeof sortItem === 'object') {
-                field = sortItem.field;
-                direction = sortItem.order || sortItem.direction || sortItem.dir || 'asc';
-            } else {
-                continue;
-            }
-            
-            // MongoDB uses 1 for ascending, -1 for descending
-            sortObj[field] = direction.toLowerCase() === 'desc' ? -1 : 1;
-        }
-        
-        return sortObj;
+    private escapeRegex(str: string): string {
+        return String(str).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
     }
 
     /**
