Skip to content

Fix ReDoS, information disclosure, and dependency vulnerabilities#4

Draft
cinnamon-msft with Copilot wants to merge 6 commits into
mainfrom
copilot/check-security-vulnerabilities
Draft

Fix ReDoS, information disclosure, and dependency vulnerabilities#4
cinnamon-msft with Copilot wants to merge 6 commits into
mainfrom
copilot/check-security-vulnerabilities

Conversation

Copilot AI commented Jan 26, 2026

Copy link
Copy Markdown
Contributor

Security audit identified three vulnerabilities: ReDoS in glob pattern matching, information disclosure via production error logs, and deprecated multer dependency with known CVEs.

Changes

ReDoS Prevention (packages/core/src/cli.ts)

  • Escape all regex special characters in user-provided glob patterns before compilation
  • Replace greedy .* with non-greedy [^/]*? to prevent catastrophic backtracking
  • Restrict wildcards to exclude path separators, preventing path traversal

Before:

const regexPattern = filePattern
  .replace(/\./g, "\\.")
  .replace(/\*/g, ".*")  // Vulnerable to ReDoS
  .replace(/\?/g, ".");

After:

const escapedPattern = filePattern
  .replace(/[\\\[\].+^${}()|]/g, "\\$&");  // Escape all special chars
const regexPattern = escapedPattern
  .replace(/\*/g, "[^/]*?")  // Non-greedy, excludes path separators
  .replace(/\?/g, "[^/]");

Information Disclosure (packages/server/src)

  • Created utils/logger.ts with logError() that sanitizes errors in production (logs only name, message, timestamp)
  • Removed full stack traces from production logs that could expose tokens, paths, or system internals
  • Applied to error handler middleware and API routes

Dependency Update

  • Upgraded multer from v1.4.5-lts.1 to v2.0.2 (fixes all known CVEs, no breaking changes)

Verification

  • CodeQL: 0 alerts
  • npm audit: 0 vulnerabilities
Original prompt

Check for any security vulnerabilities


💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 5 commits January 26, 2026 20:12
Co-authored-by: cinnamon-msft <48369326+cinnamon-msft@users.noreply.github.com>
Co-authored-by: cinnamon-msft <48369326+cinnamon-msft@users.noreply.github.com>
…lication

Co-authored-by: cinnamon-msft <48369326+cinnamon-msft@users.noreply.github.com>
Co-authored-by: cinnamon-msft <48369326+cinnamon-msft@users.noreply.github.com>
Co-authored-by: cinnamon-msft <48369326+cinnamon-msft@users.noreply.github.com>
Copilot AI changed the title [WIP] Check for any security vulnerabilities Fix ReDoS, information disclosure, and dependency vulnerabilities Jan 26, 2026
Copilot AI requested a review from cinnamon-msft January 26, 2026 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants