fix(security): tighten overlappingAlt detector to catch (a|aa)+ patterns

sorlen008 · sorlen008 · commit 57884ae68831 · 2026-04-01T08:07:53.000Z
The previous regex required a second quantifier after the group quantifier, so patterns like (a|aa)+$ could bypass the ReDoS check. Remove the trailing quantifier requirement so any quantified alternation group is flagged. Addresses coderabbitai review comment on PR wonderwhy-er#400. https://claude.ai/code/session_01UesrAy2NYmCpw7rqX71V5X
diff --git a/src/search-manager.ts b/src/search-manager.ts
@@ -21,9 +21,9 @@ export function isSafeRegex(pattern: string): boolean {
     return false;
   }
 
-  // Detect overlapping alternations in quantified groups: (a|a)+, (\w|\d)+
-  // These can also cause catastrophic backtracking
-  const overlappingAlt = /\((?:[^)]*\|[^)]*)\)[+*]\s*[+*?{]/;
+  // Detect overlapping alternations in quantified groups: (a|a)+, (a|aa)+, (\w|\d)+
+  // These can cause catastrophic backtracking even without a second outer quantifier
+  const overlappingAlt = /\((?:[^)]*\|[^)]*)\)[+*]/;
   if (overlappingAlt.test(pattern)) {
     return false;
   }

Original file line number	Diff line number	Diff line change
`@@ -21,9 +21,9 @@ export function isSafeRegex(pattern: string): boolean {`
`21`	`21`	`return false;`
`22`	`22`	`}`
`23`	`23`
`24`		`- // Detect overlapping alternations in quantified groups: (a\|a)+, (\w\|\d)+`
`25`		`- // These can also cause catastrophic backtracking`
`26`		`- const overlappingAlt = /\((?:[^)]\\|[^)])\)[+]\s[+*?{]/;`
	`24`	`+ // Detect overlapping alternations in quantified groups: (a\|a)+, (a\|aa)+, (\w\|\d)+`
	`25`	`+ // These can cause catastrophic backtracking even without a second outer quantifier`
	`26`	`+ const overlappingAlt = /\((?:[^)]\\|[^)])\)[+*]/;`
`27`	`27`	`if (overlappingAlt.test(pattern)) {`
`28`	`28`	`return false;`
`29`	`29`	`}`