fix(api): fix inefficient RegExp that may cause ReDoS

exoego · web-flow · commit 17bec4accec8 · 2022-04-30T10:37:19.000+02:00
Fixes inefficient RegExp which could cause Regular expression Denial of Service attack

The problematic part (?:\[(?:\d*|[a-z0-9_-]+)\])* will matches

(empty)
[]
[0123]
[abcd]
[0a_1b_c2]
[][]
[0123][]
[abcd][0a_1b_c2]
All these pattern is covered with the fixed regexp, I think.
diff --git a/src/definitions/behaviors/api.js b/src/definitions/behaviors/api.js
@@ -1208,7 +1208,7 @@ $.api.settings = {
   regExp  : {
     required : /\{\$*[A-z0-9]+\}/g,
     optional : /\{\/\$*[A-z0-9]+\}/g,
-    validate: /^[a-z_][a-z0-9_-]*(?:\[(?:\d*|[a-z0-9_-]+)\])*$/i,
+    validate: /^[a-z_][a-z0-9_-]*(?:\[[a-z0-9_-]*\])*$/i,
     key:      /[a-z0-9_-]+|(?=\[\])/gi,
     push:     /^$/,
     fixed:    /^\d+$/,
