diff --git a/lib/config/validation.js b/lib/config/validation.js
index a95fab4202ddf945e18ec6b03c31049c02b6eef6..456c23d91c75325179dfb3570fdb5d22a5331b9d 100644
--- a/lib/config/validation.js
+++ b/lib/config/validation.js
@@ -5,6 +5,7 @@ const {
hasValidSchedule,
hasValidTimezone,
} = require('../workers/branch/schedule');
+const safe = require('safe-regex');
let optionTypes;
@@ -167,6 +168,12 @@ async function validateConfig(config, isPreset, parentPath) {
) {
try {
RegExp(val);
+ if (!safe(val)) {
+ errors.push({
+ depName: 'Configuration Error',
+ message: `Unsafe regExp for ${currentPath}: \`${val}\``,
+ });
+ }
} catch (e) {
errors.push({
depName: 'Configuration Error',
diff --git a/package.json b/package.json
index 03f541db9dd4e3e2a6a4c8e43fe91122407f9262..328ceb5aabef74c35eca1a121e0bf5e199da343e 100644
--- a/package.json
+++ b/package.json
@@ -87,6 +87,7 @@
"pnpm": "1.40.0",
"registry-auth-token": "3.3.2",
"root-require": "0.3.1",
+ "safe-regex": "1.1.0",
"semver": "5.5.0",
"semver-stable": "2.0.4",
"semver-utils": "1.1.2",
@@ -139,7 +140,9 @@
"./test/globals.js"
],
"setupTestFrameworkScriptFile": "./test/chai.js",
- "snapshotSerializers": ["./test/newline-snapshot-serializer.js"]
+ "snapshotSerializers": [
+ "./test/newline-snapshot-serializer.js"
+ ]
},
"prettier": {
"singleQuote": true,
diff --git a/test/config/__snapshots__/validation.spec.js.snap b/test/config/__snapshots__/validation.spec.js.snap
index d2ac49cb51c6f315497a285d9e2cc0b45ef04da5..7ac7a5b8f5f86ea9305e9bf1f7d3af35e5e492ce 100644
--- a/test/config/__snapshots__/validation.spec.js.snap
+++ b/test/config/__snapshots__/validation.spec.js.snap
@@ -65,6 +65,10 @@ Array [
"depName": "Configuration Error",
"message": "Invalid configuration option: \`foo\`",
},
+ Object {
+ "depName": "Configuration Error",
+ "message": "Unsafe regExp for packageRules[0].excludePackagePatterns: \`(x+x+)+y\`",
+ },
Object {
"depName": "Configuration Error",
"message": "Invalid configuration option: \`lockFileMaintenance.bar\`",
diff --git a/test/config/validation.spec.js b/test/config/validation.spec.js
index 65614bd55e4e71c1256f2e9f256a4d8ff3601737..883bcdf618a37f6f2a5e49c9a0d0cd1291c53f11 100644
--- a/test/config/validation.spec.js
+++ b/test/config/validation.spec.js
@@ -10,7 +10,7 @@ describe('config/validation', () => {
packageRules: [
{
packagePatterns: ['*'],
- excludePackagePatterns: ['[a-z]'],
+ excludePackagePatterns: ['(x+x+)+y'],
},
],
prBody: 'some-body',
@@ -22,7 +22,7 @@ describe('config/validation', () => {
config
);
expect(warnings).toHaveLength(0);
- expect(errors).toHaveLength(2);
+ expect(errors).toHaveLength(3);
expect(errors).toMatchSnapshot();
});
it('errors for all types', async () => {
diff --git a/yarn.lock b/yarn.lock
index 9a2953ca766e67c2004ff3818940a2b26352beb8..a9413246285f6939e2f1176eece09c5c1de8e47a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5649,7 +5649,7 @@ safe-json-stringify@~1:
version "1.0.4"
resolved "https://registry.yarnpkg.com/safe-json-stringify/-/safe-json-stringify-1.0.4.tgz#81a098f447e4bbc3ff3312a243521bc060ef5911"
-safe-regex@^1.1.0:
+safe-regex@1.1.0, safe-regex@^1.1.0:
version "1.1.0"
resolved "https://registry.yarnpkg.com/safe-regex/-/safe-regex-1.1.0.tgz#40a3669f3b077d1e943d44629e157dd48023bf2e"
dependencies: