QWED-AI
qwed-verification
Blog
Docs
Changelog
Blog
Docs
Changelog
Overview
Branches
Benchmarks
Runs
Performance History
Latest Results
Merge pull request #211 from QWED-AI/fix/codeql-redos-data-uri fix: replace polynomial regex with O(n) str.find loop for data URI removal
main
2 days ago
chore: remove tracked .coverage file
fix/codeql-redos-data-uri
3 days ago
test: add coverage for data URI removal branches (6 tests) Covers: well-formed URI, case-insensitive, malformed (no comma), malformed before valid, consecutive URIs, and comma inside content.
fix/codeql-redos-data-uri
3 days ago
test: add coverage for data URI removal branches (6 tests) Covers: well-formed URI, case-insensitive, malformed (no comma), malformed before valid, consecutive URIs, and comma inside content. Hits all branches of the new re.search+str.find loop.
fix/codeql-redos-data-uri
3 days ago
chore: remove accidentally committed junk files
fix/codeql-redos-data-uri
3 days ago
fix: bound comma search to current URI span Sentry: unbounded cleaned.find(',', _idx) could consume a comma from a subsequent URI or unrelated text, causing over-deletion. Now bounded by the next data:text/html prefix (if any) using _search_end.
fix/codeql-redos-data-uri
3 days ago
fix: re.search+str.find loop avoids ReDoS without truncation Gitar/Sentry: silent 10000-char truncation dropped legitimate output. Replaced truncation+re.sub with re.search (fixed literal, no backtracking) to find each case-insensitive prefix, then str.find for the comma. O(n) single-pass, no Unicode index issues, no truncation.
fix/codeql-redos-data-uri
3 days ago
fix: use re.sub with length bound instead of str.find loop CodeRabbit: str.find on lower() has Unicode index misalignment risk (e.g. İ -> i + combining dot). Reverted to re.sub with (?i) inline flag to avoid lower()+slice altogether. Added 10000-char input cap per CodeQL's own recommendation to bound polynomial backtracking — this protects not just the data URI regex but all dangerous_patterns sub calls too.
fix/codeql-redos-data-uri
3 days ago
Latest Branches
CodSpeed Performance Gauge
0%
fix: replace polynomial regex with O(n) str.find loop for data URI removal
#211
3 days ago
1ed2b69
fix/codeql-redos-data-uri
CodSpeed Performance Gauge
0%
Potential fix for code scanning alert no. 515: Log Injection
#210
3 days ago
f9ea735
alert-autofix-515
CodSpeed Performance Gauge
0%
docs: sync README with v5.2.0 codebase — engines, guards, architecture
#209
8 days ago
f008202
docs/readme-sync-v5.2.0
© 2026 CodSpeed Technology
Home
Terms
Privacy
Docs