base-ui icon indicating copy to clipboard operation
base-ui copied to clipboard

Published 20 hours ago verified publisher icon mui

Fix: Unsafe Regular Expression Could Slow Down Application in packages/react/src/number-field/utils/parse.ts

Open kira-offgrid opened this issue 5 months ago • 2 comments

Context and Purpose:

This PR automatically remediates a security vulnerability:

  • Description: RegExp() called with a locale function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.
  • Rule ID: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
  • Severity: MEDIUM
  • File: packages/react/src/number-field/utils/parse.ts
  • Lines Affected: 53 - 53

This change is necessary to protect the application from potential security risks associated with this vulnerability.

Solution Implemented:

The automated remediation process has applied the necessary changes to the affected code in packages/react/src/number-field/utils/parse.ts to resolve the identified issue.

Please review the changes to ensure they are correct and integrate as expected.

kira-offgrid avatar Jun 27 '25 01:06 kira-offgrid

Deploy Preview for base-ui ready!

Name Link
Latest commit 899ea2e45e225905d06472a2207cb11bacb2462a
Latest deploy log https://app.netlify.com/projects/base-ui/deploys/685df7a7c04a370008344d5a
Deploy Preview https://deploy-preview-2182--base-ui.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

netlify[bot] avatar Jun 27 '25 01:06 netlify[bot]

Bundle size report

Bundle size will be reported once CircleCI build #113272 finishes.

Generated by :no_entry_sign: dangerJS against 899ea2e45e225905d06472a2207cb11bacb2462a

mui-bot avatar Jun 27 '25 01:06 mui-bot

  • RegExp() called with a locale function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread.

@kira-offgrid Can you demonstrate this?

mj12albert avatar Jun 29 '25 03:06 mj12albert