Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct regular expression range #2836

Merged
merged 1 commit into from
Aug 7, 2024
Merged

Correct regular expression range #2836

merged 1 commit into from
Aug 7, 2024

Conversation

LantaoJin
Copy link
Member

@LantaoJin LantaoJin commented Jul 17, 2024
edited

Description

Regular expression [A-z] also matches the characters: [ \ ] ^ _ `. It may have overly permissive range risk. Correct it with [a-zA-Z_].

Issues Resolved

Resolves https://github.com/opensearch-project/sql/security/code-scanning/8

Check List

  • [-] New functionality includes testing.
    • All tests pass, including unit test, integration test and doctest
  • [-] New functionality has been documented.
    • [-] New functionality has javadoc added
    • [-] New functionality has user manual doc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@LantaoJin
Correct regular expression range
4aa5375 
Signed-off-by: Lantao Jin <ltjin@amazon.com>
@LantaoJin LantaoJin marked this pull request as ready for review July 18, 2024 05:57
dai-chen
dai-chen approved these changes Jul 22, 2024
View reviewed changes
Copy link
Collaborator

@dai-chen dai-chen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

Just wonder previously this this a mistake instead of by design? Is it possible cx has such pattern that become illegal after this PR?

@LantaoJin
Copy link
Member Author

Thanks for the fix!

Just wonder previously this this a mistake instead of by design? Is it possible cx has such pattern that become illegal after this PR?

For backward compatibility, we can fix the security issue to add all characters: [ \ ] ^ _ ` to pattern. But it means we set them by design. @dai-chen

@dai-chen
Copy link
Collaborator

dai-chen commented Aug 6, 2024

Thanks for the fix!
Just wonder previously this this a mistake instead of by design? Is it possible cx has such pattern that become illegal after this PR?

For backward compatibility, we can fix the security issue to add all characters: [ \ ] ^ _ ` to pattern. But it means we set them by design. @dai-chen

Got it. Feel free to merge. Thanks!

@LantaoJin LantaoJin merged commit 7022a09 into opensearch-project:main Aug 7, 2024
15 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Aug 7, 2024
@github-actions
Correct regular expression range (#2836)
824d6e3 
Signed-off-by: Lantao Jin <ltjin@amazon.com>
(cherry picked from commit 7022a09)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Aug 7, 2024
Open
manasvinibs pushed a commit to manasvinibs/sql that referenced this pull request Aug 14, 2024
@LantaoJin @manasvinibs
Correct regular expression range (opensearch-project#2836)
0643245 
Signed-off-by: Lantao Jin <ltjin@amazon.com>
jzonthemtn pushed a commit to jzonthemtn/sql that referenced this pull request Aug 28, 2024
@LantaoJin @jzonthemtn
Correct regular expression range (opensearch-project#2836)
9c4b1d6 
Signed-off-by: Lantao Jin <ltjin@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dai-chen dai-chen dai-chen approved these changes

@YANG-DB YANG-DB YANG-DB approved these changes

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner

@kavithacm kavithacm Awaiting requested review from kavithacm kavithacm is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@rupal-bq rupal-bq Awaiting requested review from rupal-bq rupal-bq is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@vamsi-amazon vamsi-amazon Awaiting requested review from vamsi-amazon vamsi-amazon is a code owner

@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner

@seankao-az seankao-az Awaiting requested review from seankao-az seankao-az is a code owner

@MaxKsyunz MaxKsyunz Awaiting requested review from MaxKsyunz MaxKsyunz is a code owner

@Yury-Fridlyand Yury-Fridlyand Awaiting requested review from Yury-Fridlyand Yury-Fridlyand is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@forestmvey forestmvey Awaiting requested review from forestmvey forestmvey is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner

@GumpacG GumpacG Awaiting requested review from GumpacG GumpacG is a code owner

@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 is a code owner

Assignees
No one assigned
Labels
backport 2.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@LantaoJin @dai-chen @YANG-DB