Skip to content

fix: escape $ character in regex to prevent injection#44638

Merged
joestringer merged 1 commit intocilium:mainfrom
peoyekunle:pr/peoyekunle/fix-regex
Mar 10, 2026
Merged

fix: escape $ character in regex to prevent injection#44638
joestringer merged 1 commit intocilium:mainfrom
peoyekunle:pr/peoyekunle/fix-regex

Conversation

@peoyekunle
Copy link
Copy Markdown
Contributor

@peoyekunle peoyekunle commented Mar 5, 2026
edited
Loading

Corrected the regular expression by properly escaping the $ character to ensure literal matching:

This PR fixes a vulnerability in the regular expression where the $ character was not properly escaped, causing it to match end-of-string positions instead of literal $ characters.
Before: .replace(/$g, '')
After: .replace(/$/g, '')

Reported-By: Vikram vikram@cure53.de
Reported-By: Youssef Abdullah Al-Otaibi u4@hotmail.com

Signed-off-by: Peter Oyekunle poyekunl@cisco.com

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 5, 2026
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Mar 5, 2026
@ferozsalam ferozsalam added the release-note/ci This PR makes changes to the CI. label Mar 5, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 5, 2026
@peoyekunle peoyekunle marked this pull request as ready for review March 5, 2026 09:28
@peoyekunle peoyekunle requested review from a team as code owners March 5, 2026 09:28
joestringer
joestringer approved these changes Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix looks good, just a couple of trivial things picked up by one of the linters.

@ferozsalam ferozsalam added needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Mar 6, 2026
@ferozsalam
Copy link
Copy Markdown
Contributor

ferozsalam commented Mar 6, 2026

It looks like we use this workflow pinned to the versions in specific release branches. I've added the backport labels.

@squeed
Copy link
Copy Markdown
Contributor

squeed commented Mar 6, 2026

/test

@joestringer
Copy link
Copy Markdown
Member

joestringer commented Mar 6, 2026
edited
Loading

It looks like we use this workflow pinned to the versions in specific release branches. I've added the backport labels.

@aanm do you recall why we do this? Should we just switch the pull_request_target workflows defined on main to just use the workflow_call based workflow from main? I'm not sure there's anything branch-specific in the logic for this workflow (other than the version, but that's already parameterized).

@peoyekunle peoyekunle force-pushed the pr/peoyekunle/fix-regex branch from 2d640a1 to 6e6a714 Compare March 7, 2026 12:11
@peoyekunle
fix: escape $ character in regex to prevent injection
dba7f3b 
Corrected the regular expression by properly escaping the $ character to ensure literal matching:

Before: .replace(/$g, '')
After:  .replace(/\$/g, '')

Reported-by: Vikram <vikram@cure53.de>
Reported-by: Youssef Abdullah Al-Otaibi <u4@hotmail.com>

Signed-off-by: Peter Oyekunle <poyekunl@cisco.com>
@peoyekunle peoyekunle force-pushed the pr/peoyekunle/fix-regex branch from 6e6a714 to dba7f3b Compare March 7, 2026 12:12
@ferozsalam
Copy link
Copy Markdown
Contributor

ferozsalam commented Mar 10, 2026

/test

@ferozsalam ferozsalam mentioned this pull request Mar 10, 2026
Merged
@aanm
Copy link
Copy Markdown
Member

aanm commented Mar 10, 2026

`> > It looks like we use this workflow pinned to the versions in specific release branches. I've added the backport labels.

@aanm do you recall why we do this? Should we just switch the pull_request_target workflows defined on main to just use the workflow_call based workflow from main? I'm not sure there's anything branch-specific in the logic for this workflow (other than the version, but that's already parameterized).

@aanm do you recall why we do this?

@joestringer No.

Should we just switch the pull_request_target workflows defined on main to just use the workflow_call based workflow from main?

I don't think so, we need to handle the events for each specific branch. The call-backport-label-updated-v1.X needs to have the pull_request_target. However, the update-label-backport-pr.yaml can be removed from the stable branches and call the main branch workflow instead of the branch-specific workflows.

@joestringer
Copy link
Copy Markdown
Member

joestringer commented Mar 10, 2026

Smoke test failures are unrelated to the code being modified here, and they represent a known issue when mixing a PR based on an older commit against the newer CI. I'll bypass that to merge.

@joestringer joestringer merged commit 04e0ec5 into cilium:main Mar 10, 2026
76 of 79 checks passed
@smagnani96 smagnani96 mentioned this pull request Mar 16, 2026
Merged
4 tasks
@smagnani96 smagnani96 added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Mar 16, 2026
@smagnani96 smagnani96 mentioned this pull request Mar 16, 2026
Merged
4 tasks
@smagnani96 smagnani96 added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Mar 16, 2026
@smagnani96 smagnani96 mentioned this pull request Mar 16, 2026
Merged
10 tasks
@smagnani96 smagnani96 added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Mar 16, 2026
@github-actions github-actions bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. labels Mar 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squeed squeed squeed approved these changes

@joestringer joestringer joestringer approved these changes

@aanm aanm aanm approved these changes

@viktor-kurchenko viktor-kurchenko viktor-kurchenko approved these changes

Assignees

No one assigned

Labels

backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. kind/community-contribution This was a contribution made by a community member. release-note/ci This PR makes changes to the CI.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@peoyekunle @ferozsalam @squeed @joestringer @aanm @viktor-kurchenko @msune @smagnani96