Skip to content

fix(security): regex-audit missing inline-literal detection for .ts/.tsx/.jsx/.mjs/.cjs#212

Merged
Wolfvin merged 1 commit into
mainfrom
fix/regex-audit-ts-inline-pattern-missing
Jul 11, 2026
Merged

fix(security): regex-audit missing inline-literal detection for .ts/.tsx/.jsx/.mjs/.cjs#212
Wolfvin merged 1 commit into
mainfrom
fix/regex-audit-ts-inline-pattern-missing

Conversation

@Wolfvin

@Wolfvin Wolfvin commented Jul 11, 2026

Copy link
Copy Markdown
Owner

Found while auditing security --check regex-audit against KDS backend (all .ts files) — reported total_patterns: 0 despite genuine inline regex literals confirmed via grep (.replace(/[-:T]/g, ''), .replace(/\s+/g, '.')).

Root cause: only .js had the regex_literal_inline pattern (bare /pattern/flags used directly as a call argument, not assigned to a variable). Every other JS-family extension (.mjs, .cjs, .ts, .tsx, .jsx) was missing it.

Fix: add the same pattern to the other 4 extensions. Verified: total_patterns went from 0 to 1735, vulnerable stayed 0 (no ReDoS patterns in this codebase) — the inline pattern is noisy for raw counting (matches division operators too, same tradeoff .js already accepted) but doesn't affect vulnerability flagging.

@Wolfvin Wolfvin merged commit 50007c5 into main Jul 11, 2026
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@Wolfvin Wolfvin deleted the fix/regex-audit-ts-inline-pattern-missing branch July 11, 2026 18:52
…tsx/.jsx/.mjs/.cjs

Only .js had the 'regex_literal_inline' pattern (bare /pattern/flags used
directly as a call argument, e.g. .replace(/[-:T]/g, '')). Every other JS
family extension — .mjs, .cjs, .ts, .tsx, .jsx — was missing it, so any
inline (non-variable-assigned) regex literal in TypeScript/JSX went
completely undetected.

Found via real-codebase validation (Coretax-Auto-Downloader KDS backend,
all .ts): regex-audit reported total_patterns:0 despite genuine inline
regex literals (.replace(/[-:T]/g, ''), .replace(/\s+/g, '.')) confirmed
present via grep.

Fix: add the same inline-literal pattern already used for .js to the
other 4 extensions. Verified: total_patterns went from 0 to 1735,
vulnerable stayed 0 (no ReDoS-prone patterns in this codebase) — the
inline pattern is inherently noisy for raw counting (same tradeoff .js
already accepted), but doesn't affect the vulnerability-flagging logic.
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant