Merge pull request #78 from Hexastack/77-issue-regular-expression-inj…

…ection fix: escape regular expressions
Hexastack · Sep 24, 2024 · e06dfd6 · e06dfd6
2 parents 3110c6a + 73d9020
commit e06dfd6
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 4 deletions.
diff --git a/api/migrations/config/create.ts b/api/migrations/config/create.ts
@@ -11,6 +11,8 @@
 import fs from 'fs';
 import path from 'path';
 
+import escapeRegExp from 'lodash/escapeRegExp';
+
 // Get the argument passed (e.g., "all-users-fr")
 const arg: string | undefined = process.argv[2];
 
@@ -25,7 +27,7 @@ const templatePath: string = path.join(__dirname, '../config/template.ts');
 
 // Check if a migration with the same name (excluding timestamp) already exists
 const migrationExists: boolean = fs.readdirSync(migrationsDir).some((file) => {
- const regex = new RegExp(`^[0-9]+-${arg}\.ts$`);
+ const regex = new RegExp(`^[0-9]+-${escapeRegExp(arg)}\\.ts$`);
  return regex.test(file);
 });
 

diff --git a/api/package-lock.json b/api/package-lock.json
diff --git a/api/package.json b/api/package.json
@@ -91,6 +91,7 @@
  "@types/express": "^4.17.17",
  "@types/express-session": "^1.17.10",
  "@types/jest": "^29.5.2",
+ "@types/lodash": "^4.17.9",
  "@types/module-alias": "^2.0.4",
  "@types/multer": "^1.4.11",
  "@types/node": "^20.3.1",

diff --git a/api/src/utils/pipes/search-filter.pipe.ts b/api/src/utils/pipes/search-filter.pipe.ts
@@ -13,6 +13,7 @@ import {
  ArgumentMetadata,
  Logger,
 } from '@nestjs/common';
+import escapeRegExp from 'lodash/escapeRegExp';
 import { TFilterQuery, Types } from 'mongoose';
 
 import {
@@ -36,9 +37,8 @@ export class SearchFilterPipe<T>
  }
 
  private getRegexValue(val: string) {
- const quote = (str: string) =>
- str.replace(/([.?*+^$[\]\\(){}|-])/g, '\\$1');
- return new RegExp(quote(val), 'i');
+ const escapedRegExp = escapeRegExp(val);
+ return new RegExp(escapedRegExp, 'i');
  }
 
  private isAllowedField(field: string) {