From 6b8f98d1ad9f9d10b66c2632f4c7cb1f270e1139 Mon Sep 17 00:00:00 2001
From: Claudio <claudio@r2c.dev>
Date: Fri, 29 Sep 2023 19:50:58 +0200
Subject: [PATCH 1/2] Fix slow regex

---
 .../security/audit/cors-regex-wildcard.tsx    | 42 ++++++------
 .../security/audit/cors-regex-wildcard.yaml   | 64 ++++++++++---------
 2 files changed, 56 insertions(+), 50 deletions(-)

diff --git a/typescript/lang/security/audit/cors-regex-wildcard.tsx b/typescript/lang/security/audit/cors-regex-wildcard.tsx
index 36c7b25069..cb2604729e 100644
--- a/typescript/lang/security/audit/cors-regex-wildcard.tsx
+++ b/typescript/lang/security/audit/cors-regex-wildcard.tsx
@@ -1,31 +1,33 @@
-// ruleid: cors-regex-wildcard
 const corsDomains = [
-    /localhost\:/,
-    /(.+\.)*foo\.com$/,
-    /(.+\.)*foobar\.com$/, // matches *.foobar.com,
-    /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
-    /^(http|https):\/\/www\.bar\.com$/,
-    /^(http|https):\/\/www.foo.com$/,
+  /localhost\:/,
+  /(.+\.)*foo\.com$/,
+  /(.+\.)*foobar\.com$/, // matches *.foobar.com,
+  // ruleid: cors-regex-wildcard
+  /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
+  /^(http|https):\/\/www\.bar\.com$/,
+  // ruleid: cors-regex-wildcard
+  /^(http|https):\/\/www.foo.com$/,
 ];
 
-// ruleid: cors-regex-wildcard
 const CORS = [
-    /localhost\:/,
-    /(.+\.)*foo\.com$/,
-    /(.+\.)*foobar\.com$/, // matches *.foobar.com,
-    /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
-    /^(http|https):\/\/www\.bar\.com$/,
-    /^(http|https):\/\/www.foo.com$/,
+  /localhost\:/,
+  /(.+\.)*foo\.com$/,
+  /(.+\.)*foobar\.com$/, // matches *.foobar.com,
+  // ruleid: cors-regex-wildcard
+  /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
+  /^(http|https):\/\/www\.bar\.com$/,
+  // ruleid: cors-regex-wildcard
+  /^(http|https):\/\/www.foo.com$/,
 ];
 
 // ruleid: cors-regex-wildcard
 const corsOrigin = /^(http|https):\/\/www.foo.com$/;
 
 const urls = [
-    /localhost\:/,
-    /(.+\.)*foo\.com$/,
-    /(.+\.)*foobar\.com$/, // matches *.foobar.com,
-    /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
-    /^(http|https):\/\/www\.bar\.com$/,
-    /^(http|https):\/\/www.foo.com$/,
+  /localhost\:/,
+  /(.+\.)*foo\.com$/,
+  /(.+\.)*foobar\.com$/, // matches *.foobar.com,
+  /^(http|https):\/\/(qix|qux).biz.baz.foobar.com$/,
+  /^(http|https):\/\/www\.bar\.com$/,
+  /^(http|https):\/\/www.foo.com$/,
 ];
diff --git a/typescript/lang/security/audit/cors-regex-wildcard.yaml b/typescript/lang/security/audit/cors-regex-wildcard.yaml
index d6a59583cf..285d91f619 100644
--- a/typescript/lang/security/audit/cors-regex-wildcard.yaml
+++ b/typescript/lang/security/audit/cors-regex-wildcard.yaml
@@ -1,31 +1,35 @@
 rules:
-- id: cors-regex-wildcard
-  message: "Unescaped '.' character in CORS domain regex $CORS: $PATTERN"
-  metadata:
-    cwe:
-    - 'CWE-183: Permissive List of Allowed Inputs'
-    category: security
-    technology:
-    - cors
-    owasp:
-    - A04:2021 - Insecure Design
-    references:
-    - https://owasp.org/Top10/A04_2021-Insecure_Design
-    subcategory:
-    - audit
-    likelihood: LOW
-    impact: LOW
-    confidence: LOW
-  languages:
-  - ts
-  severity: WARNING
-  patterns:
-  - pattern-either:
-    - pattern: const $CORS = [...,$PATTERN,...]
-    - pattern: const $CORS = $PATTERN
-  - metavariable-regex:
-      metavariable: $PATTERN
-      regex: .+?(?<!\\).\..+(?<!\\)\..+
-  - metavariable-regex:
-      metavariable: $CORS
-      regex: (?i)cors
+  - id: cors-regex-wildcard
+    message: "Unescaped '.' character in CORS domain regex $CORS: $PATTERN"
+    metadata:
+      cwe:
+        - "CWE-183: Permissive List of Allowed Inputs"
+      category: security
+      technology:
+        - cors
+      owasp:
+        - A04:2021 - Insecure Design
+      references:
+        - https://owasp.org/Top10/A04_2021-Insecure_Design
+      subcategory:
+        - audit
+      likelihood: LOW
+      impact: LOW
+      confidence: LOW
+      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
+      vulnerability_class:
+        - Improper Validation
+    languages:
+      - ts
+    severity: WARNING
+    patterns:
+      - pattern-either:
+          - pattern: $CORS = [...,/$PATTERN/,...]
+          - pattern: $CORS = /$PATTERN/
+      - focus-metavariable: $PATTERN
+      - metavariable-regex:
+          metavariable: $PATTERN
+          regex: .+?(?<!\\).\..+(?<!\\)\..+
+      - metavariable-regex:
+          metavariable: $CORS
+          regex: (?i)cors

From 72d077a264ff0f2caf2438ddd63b3087a390125d Mon Sep 17 00:00:00 2001
From: Claudio <claudio@r2c.dev>
Date: Fri, 29 Sep 2023 19:54:33 +0200
Subject: [PATCH 2/2] Formatting

---
 .../security/audit/cors-regex-wildcard.yaml   | 65 +++++++++----------
 1 file changed, 31 insertions(+), 34 deletions(-)

diff --git a/typescript/lang/security/audit/cors-regex-wildcard.yaml b/typescript/lang/security/audit/cors-regex-wildcard.yaml
index 285d91f619..bd70eb7594 100644
--- a/typescript/lang/security/audit/cors-regex-wildcard.yaml
+++ b/typescript/lang/security/audit/cors-regex-wildcard.yaml
@@ -1,35 +1,32 @@
 rules:
-  - id: cors-regex-wildcard
-    message: "Unescaped '.' character in CORS domain regex $CORS: $PATTERN"
-    metadata:
-      cwe:
-        - "CWE-183: Permissive List of Allowed Inputs"
-      category: security
-      technology:
-        - cors
-      owasp:
-        - A04:2021 - Insecure Design
-      references:
-        - https://owasp.org/Top10/A04_2021-Insecure_Design
-      subcategory:
-        - audit
-      likelihood: LOW
-      impact: LOW
-      confidence: LOW
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
-      vulnerability_class:
-        - Improper Validation
-    languages:
-      - ts
-    severity: WARNING
-    patterns:
-      - pattern-either:
-          - pattern: $CORS = [...,/$PATTERN/,...]
-          - pattern: $CORS = /$PATTERN/
-      - focus-metavariable: $PATTERN
-      - metavariable-regex:
-          metavariable: $PATTERN
-          regex: .+?(?<!\\).\..+(?<!\\)\..+
-      - metavariable-regex:
-          metavariable: $CORS
-          regex: (?i)cors
+- id: cors-regex-wildcard
+  message: "Unescaped '.' character in CORS domain regex $CORS: $PATTERN"
+  metadata:
+    cwe:
+    - 'CWE-183: Permissive List of Allowed Inputs'
+    category: security
+    technology:
+    - cors
+    owasp:
+    - A04:2021 - Insecure Design
+    references:
+    - https://owasp.org/Top10/A04_2021-Insecure_Design
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  languages:
+  - ts
+  severity: WARNING
+  patterns:
+  - pattern-either:
+    - pattern: $CORS = [...,/$PATTERN/,...]
+    - pattern: $CORS = /$PATTERN/
+  - focus-metavariable: $PATTERN
+  - metavariable-regex:
+      metavariable: $PATTERN
+      regex: .+?(?<!\\).\..+(?<!\\)\..+
+  - metavariable-regex:
+      metavariable: $CORS
+      regex: (?i)cors