Skip to content

fix: prevent ReDoS vulnerabilities and improve cookie security #2988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
marevol merged 1 commit into from
Dec 20, 2025
Merged

fix: prevent ReDoS vulnerabilities and improve cookie security #2988

marevol merged 1 commit into from
Dec 20, 2025
+25 −14

Conversation

@marevol
Copy link
Contributor

@marevol marevol commented Dec 20, 2025

Summary

This PR addresses security vulnerabilities related to regular expression denial of service (ReDoS) and improves cookie handling consistency for search parameters.

Changes Made

ReDoS Prevention in Dictionary Files

  • CharMappingFile.java: Changed regex pattern from (.*)\\s*=>\\s*(.*)\\s*$ to (.*?)\\s*+=>\\s*+(.*?)\\s*+$
  • StemmerOverrideFile.java: Applied the same regex pattern fix

The original greedy quantifiers (*) combined with backtracking could cause exponential time complexity on certain malformed inputs. Using non-greedy quantifiers (*?) with possessive quantifiers (*+) prevents catastrophic backtracking.

Cookie Security Improvements in SearchHelper

  • Extracted isSearchParameterCookieSecure() method to centralize the logic for determining cookie secure flag
  • Added missing httpOnly and secure flags when invalidating the search parameter cookie
  • Previously, when clearing the cookie (setting maxAge to 0), the cookie attributes were inconsistent with the original cookie, which could lead to the cookie not being properly invalidated in some browsers

S3 Endpoint Detection Fix in StorageClientFactory

  • Replaced regex pattern .*s3[.-].* with simpler string contains checks: contains("s3.") or contains("s3-")
  • The previous regex pattern was susceptible to ReDoS and unnecessary for simple substring matching

Testing

  • Verified regex patterns compile correctly
  • The changes are backward-compatible and do not alter the functional behavior

Breaking Changes

None. These are internal implementation improvements that maintain the same external behavior.

Additional Notes

These fixes address potential security vulnerabilities that could be exploited through carefully crafted input to cause CPU exhaustion via regex backtracking.

@marevol @claude
fix: prevent ReDoS vulnerabilities and improve cookie security
7f955c9 
- Use possessive quantifiers (*+) in regex patterns for CharMappingFile
  and StemmerOverrideFile to prevent catastrophic backtracking (ReDoS)
- Extract isSearchParameterCookieSecure() method in SearchHelper for
  better code reuse and consistency
- Set httpOnly and secure flags when invalidating search parameter cookie
  to ensure consistent cookie attributes
- Replace regex with simple string contains for S3 endpoint detection
  in StorageClientFactory to avoid potential ReDoS

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@marevol marevol added this to the 15.4.0 milestone Dec 20, 2025
@marevol marevol self-assigned this Dec 20, 2025
@marevol marevol merged commit f925a00 into master Dec 20, 2025
1 check passed
@marevol marevol deleted the fix/regex-redos-and-cookie-security branch December 25, 2025 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@marevol marevol

Labels

improvement

Projects

None yet

Milestone

15.4.0

Development

Successfully merging this pull request may close these issues.

2 participants

@marevol