Skip to content

Commit

Permalink
Fix regex ReDOS vulnerability
Browse files Browse the repository at this point in the history 
Signed-off-by: Walter de Boer <[email protected]>
  • Loading branch information
Walter de Boer committed Oct 18, 2023
1 parent 7a17346 commit 0ea66d6
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/main/java/org/dependencytrack/util/ComponentVersion.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,10 @@
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.apache.maven.artifact.versioning.ComparableVersion;

import com.vdurmont.semver4j.Semver;

public class ComponentVersion implements Comparable<ComponentVersion> {
Expand Down Expand Up @@ -85,8 +87,7 @@ public class ComponentVersion implements Comparable<ComponentVersion> {
// Semver version format:
// https://semver.org/
// restricted number, label and build metadata parts to preven ReDOS attacks.
protected static final Pattern SEMVER_PATTERN = Pattern.compile("^(0|[1-9]\\d{0,32})\\.(0|[1-9]\\d{0,32})\\.(0|[1-9]\\d{0,32})(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)){0,8}))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+){0,8}))?$");

protected static final Pattern SEMVER_PATTERN = Pattern.compile("^(0|[1-9]\\d{0,32})\\.(0|[1-9]\\d{0,32})\\.(0|[1-9]\\d{0,32})(?:-((?:0|[1-9]\\d{0,32}|\\d{0,32}[a-zA-Z-][0-9a-zA-Z-]{0,100})(?:\\.(?:0|[1-9]\\d{0,32}|\\d{0,32}[a-zA-Z-][0-9a-zA-Z-]{0,100})){0,8}))?(?:\\+([0-9a-zA-Z-]{1,100}(?:\\.[0-9a-zA-Z-]{1,100}){0,8}))?$");

protected static final Pattern SEMVER_PRE_RELEASE_PATTERN = Pattern.compile("(-[0-9a-z]).*", Pattern.CASE_INSENSITIVE);

Expand Down

0 comments on commit 0ea66d6

Please sign in to comment.