Open
Conversation
Replaces backtracking-prone /\/\*[\s\S]*?\*\// with Friedl's unrolled loop pattern to eliminate ReDoS risk on unterminated block comments. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
#3) (?:\s*.*)?$ causes backtracking ambiguity since both \s* and .* match spaces. Simplified to .*$ which is equivalent and linear-time. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
#2) Workflow uses a GitHub App token exclusively; GITHUB_TOKEN is never referenced. Adding permissions: {} enforces least privilege. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
#1) Only contents: read is needed for actions/checkout. Explicit permissions block enforces least privilege on the GITHUB_TOKEN. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…odeQL #5) Previous unrolled loop pattern still had ambiguous quantifiers. Replaced with (?:[^*]|\*[^/])* where alternatives are mutually exclusive, making backtracking impossible. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Regex-based approaches are flagged by CodeQL due to O(n^2) backtracking when the pattern fails to match. indexOf is a plain linear scan with no NFA and no backtracking possible. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
riley0227
approved these changes
Apr 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes all 5 open CodeQL security alerts on
main. Three high-severity ReDoS vulnerabilities in the SQL/YAML/Dockerfile parsers, and two medium-severity missing permissions blocks in GitHub Actions workflows.Type
Changes
core-ingestion/src/index.ts— replace polynomial/*...*/block comment regex with Friedl's unrolled loop pattern (CodeQL IX read is slow #5)core-ingestion/src/index.ts— replace/\s+$/withString.trimEnd()to eliminate trailing-whitespace backtracking (CodeQL ix entity #4)core-ingestion/src/index.ts— remove overlapping(?:\s*.*)?$quantifiers inkeyLinePattern(CodeQL Ix inventory commands cap at 50 per class, method, etc #3).github/workflows/notify-sync.yml— addpermissions: {}(workflow never usesGITHUB_TOKEN) (CodeQL Edge cases #2).github/workflows/ci.yml— addpermissions: contents: read(minimum required foractions/checkout) (CodeQL Getting versioning, changing Database, allowing indidual commands, verisoning #1)Validation
CodeQL flagged these as polynomial-time regex (CWE-1333, CWE-400, CWE-730) and missing least-privilege permissions (CWE-275). Each fix was verified to be behaviorally equivalent to the original.
Checklist