fix(codegen): escape regex literals in path segments #477

adamthom-amzn · 2021-12-16T00:51:25Z

Description of changes:
We use regex to extract labeled path values, and literal path segments can
contain unescaped regex literals that can both blow up deserialization and
present ReDoS risks. While it's unlikely we will see these paths in practice,
we should still escape special regex characters.

See smithy-lang/smithy#1018 for an example of a test that is fixed with this change.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

We use regex to extract labeled path values, and literal path segments can contain unescaped regex literals that can both blow up deserialization and present ReDoS risks. While it's unlikely we will see these paths in practice, we should still escape special regex characters.

adamthom-amzn requested review from JordonPhillips, gosar and a team December 16, 2021 00:51

JordonPhillips approved these changes Dec 16, 2021

View reviewed changes

trivikr approved these changes Dec 16, 2021

View reviewed changes

adamthom-amzn merged commit 000909d into smithy-lang:main Jan 11, 2022

adamthom-amzn deleted the fix-regex-literals-in-paths branch January 11, 2022 18:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(codegen): escape regex literals in path segments #477

fix(codegen): escape regex literals in path segments #477

adamthom-amzn commented Dec 16, 2021

fix(codegen): escape regex literals in path segments #477

fix(codegen): escape regex literals in path segments #477

Conversation

adamthom-amzn commented Dec 16, 2021