fix: add ReDoS protection for excludedNamespaces regex validation

enriqueavindi · enriqueavindi · commit c3ac8c34680a · 2026-03-16T11:51:19.000+01:00
- Limit regex length to 512 characters to mitigate catastrophic
  backtracking (ReDoS) attacks via overly complex patterns
- Improve error message to include the actual regexp compilation error
  for better debugging
diff --git a/api/v1alphav1/webhook_validations.go b/api/v1alphav1/webhook_validations.go
@@ -70,9 +70,14 @@ func isClassDefault(class OvercommitClass, client client.Client) error {
 }
 
 func checkIsRegexValid(regex string) error {
+	// Limit regex length to prevent ReDoS (catastrophic backtracking)
+	const maxRegexLen = 512
+	if len(regex) > maxRegexLen {
+		return fmt.Errorf("regex is too long (%d chars), maximum allowed is %d", len(regex), maxRegexLen)
+	}
 	_, err := regexp.Compile(regex)
 	if err != nil {
-		return errors.New("Error: the regex is not valid")
+		return fmt.Errorf("invalid regex for excludedNamespaces: %w", err)
 	}
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -70,9 +70,14 @@ func isClassDefault(class OvercommitClass, client client.Client) error {`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`func checkIsRegexValid(regex string) error {`
	`73`	`+ // Limit regex length to prevent ReDoS (catastrophic backtracking)`
	`74`	`+ const maxRegexLen = 512`
	`75`	`+ if len(regex) > maxRegexLen {`
	`76`	`+ return fmt.Errorf("regex is too long (%d chars), maximum allowed is %d", len(regex), maxRegexLen)`
	`77`	`+ }`
`73`	`78`	`_, err := regexp.Compile(regex)`
`74`	`79`	`if err != nil {`
`75`		`- return errors.New("Error: the regex is not valid")`
	`80`	`+ return fmt.Errorf("invalid regex for excludedNamespaces: %w", err)`
`76`	`81`	`}`
`77`	`82`	`return nil`
`78`	`83`	`}`