fix(security): code scanner RE2 lookahead panics server at startup (#552) #742

Merged
jmiller merged 1 commits from fix/code-scanner-re2-panic into dev 2026-07-05 20:07:57 +00:00
2 changed files with 24 additions and 1 deletions
+1 -1
View File
@@ -160,7 +160,7 @@ var DefaultCodeRules = []CodeRule{
{
ID: "deserialize-yaml-py", Title: "Insecure Deserialization: yaml.load() (Python)",
Severity: security_model.SeverityHigh, CWE: "CWE-502",
Pattern: regexp.MustCompile(`yaml\.load\s*\([^)]*(?:Loader\s*=\s*yaml\.(?:Unsafe|Full)Loader|[^)]*\)(?!\s*#))`),
Pattern: regexp.MustCompile(`(?i)yaml\.load\s*\(`),
Description: "yaml.load() without SafeLoader allows arbitrary code execution — use yaml.safe_load()",
Languages: []string{".py"},
},
+23
View File
@@ -0,0 +1,23 @@
// Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
// SPDX-License-Identifier: GPL-3.0-or-later
package security
import "testing"
// TestDefaultCodeRulesCompile forces the package init, which builds every scanner
// rule's regexp via regexp.MustCompile, and asserts each pattern is present. Go's
// regexp engine is RE2 and rejects Perl-only constructs (lookahead/lookbehind/
// backreferences) by panicking in MustCompile at init — which crash-loops the
// server at startup. This test executes that init so such a pattern fails CI here
// instead of on a live deploy.
func TestDefaultCodeRulesCompile(t *testing.T) {
if len(DefaultCodeRules) == 0 {
t.Fatal("DefaultCodeRules is empty")
}
for _, r := range DefaultCodeRules {
if r.Pattern == nil {
t.Errorf("rule %q has a nil Pattern", r.ID)
}
}
}