From e1f9a64b92d5dfde6ed020e324a35a518bf0e006 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Tue, 7 Apr 2026 19:22:07 +0700
Subject: [PATCH] fix(security): regex with greedy quantifier on untrusted
 input
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The regex `(?<=\[\*\*).*(?=\*\*\])` in `add_app()` uses `.*` (greedy match) between a lookbehind and lookahead. While not a severe ReDoS risk in this specific pattern, applying it to user-contributed markdown lines (from README.md) with crafted input containing many `**]` sequences could cause slower-than-expected matching. This is a minor concern given the input source.

Affected files: ensure_sorted.py

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 ensure_sorted.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ensure_sorted.py b/ensure_sorted.py
index 50b6683c..c702a8a2 100755
--- a/ensure_sorted.py
+++ b/ensure_sorted.py
@@ -19,7 +19,7 @@ def __init__(self, name):
         self.apps = []
 
     def add_app(self, app_str: str):
-        matches = re.findall("(?<=\\[\\*\\*).*(?=\\*\\*\\])", app_str)
+        matches = re.findall("(?<=\\[\\*\\*)[^*]+(?=\\*\\*\\])", app_str)
         if len(matches) != 1:
             raise RuntimeError("These should be only one match")
         app_name = matches[0]