From d4163fe2fb934a1097b9737ebeb38d02ab9fa9ef Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Fri, 13 Apr 2018 06:52:08 +0200
Subject: [PATCH] fix: test for unsafe regex and warn
---
lib/config/validation.js | 7 +++++++
package.json | 5 ++++-
test/config/__snapshots__/validation.spec.js.snap | 4 ++++
test/config/validation.spec.js | 4 ++--
yarn.lock | 2 +-
5 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/lib/config/validation.js b/lib/config/validation.js
index a95fab4202..456c23d91c 100644
--- a/lib/config/validation.js
+++ b/lib/config/validation.js
@@ -5,6 +5,7 @@ const {
hasValidSchedule,
hasValidTimezone,
} = require('../workers/branch/schedule');
+const safe = require('safe-regex');
let optionTypes;
@@ -167,6 +168,12 @@ async function validateConfig(config, isPreset, parentPath) {
) {
try {
RegExp(val);
+ if (!safe(val)) {
+ errors.push({
+ depName: 'Configuration Error',
+ message: `Unsafe regExp for ${currentPath}: \`${val}\``,
+ });
+ }
} catch (e) {
errors.push({
depName: 'Configuration Error',
diff --git a/package.json b/package.json
index 03f541db9d..328ceb5aab 100644
--- a/package.json
+++ b/package.json
@@ -87,6 +87,7 @@
"pnpm": "1.40.0",
"registry-auth-token": "3.3.2",
"root-require": "0.3.1",
+ "safe-regex": "1.1.0",
"semver": "5.5.0",
"semver-stable": "2.0.4",
"semver-utils": "1.1.2",
@@ -139,7 +140,9 @@
"./test/globals.js"
],
"setupTestFrameworkScriptFile": "./test/chai.js",
- "snapshotSerializers": ["./test/newline-snapshot-serializer.js"]
+ "snapshotSerializers": [
+ "./test/newline-snapshot-serializer.js"
+ ]
},
"prettier": {
"singleQuote": true,
diff --git a/test/config/__snapshots__/validation.spec.js.snap b/test/config/__snapshots__/validation.spec.js.snap
index d2ac49cb51..7ac7a5b8f5 100644
--- a/test/config/__snapshots__/validation.spec.js.snap
+++ b/test/config/__snapshots__/validation.spec.js.snap
@@ -65,6 +65,10 @@ Array [
"depName": "Configuration Error",
"message": "Invalid configuration option: \`foo\`",
},
+ Object {
+ "depName": "Configuration Error",
+ "message": "Unsafe regExp for packageRules[0].excludePackagePatterns: \`(x+x+)+y\`",
+ },
Object {
"depName": "Configuration Error",
"message": "Invalid configuration option: \`lockFileMaintenance.bar\`",
diff --git a/test/config/validation.spec.js b/test/config/validation.spec.js
index 65614bd55e..883bcdf618 100644
--- a/test/config/validation.spec.js
+++ b/test/config/validation.spec.js
@@ -10,7 +10,7 @@ describe('config/validation', () => {
packageRules: [
{
packagePatterns: ['*'],
- excludePackagePatterns: ['[a-z]'],
+ excludePackagePatterns: ['(x+x+)+y'],
},
],
prBody: 'some-body',
@@ -22,7 +22,7 @@ describe('config/validation', () => {
config
);
expect(warnings).toHaveLength(0);
- expect(errors).toHaveLength(2);
+ expect(errors).toHaveLength(3);
expect(errors).toMatchSnapshot();
});
it('errors for all types', async () => {
diff --git a/yarn.lock b/yarn.lock
index 9a2953ca76..a941324628 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5649,7 +5649,7 @@ safe-json-stringify@~1:
version "1.0.4"
resolved "https://registry.yarnpkg.com/safe-json-stringify/-/safe-json-stringify-1.0.4.tgz#81a098f447e4bbc3ff3312a243521bc060ef5911"
-safe-regex@^1.1.0:
+safe-regex@1.1.0, safe-regex@^1.1.0:
version "1.1.0"
resolved "https://registry.yarnpkg.com/safe-regex/-/safe-regex-1.1.0.tgz#40a3669f3b077d1e943d44629e157dd48023bf2e"
dependencies:
--
GitLab