Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/ruleset/src/rules/parameter-casing-convention.js
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ module.exports = {
// Spectral casing convention types aren't robust enough to handle
// the complexity of headers, so we define our own kebab/pascal case regex.
header: {
match: '/^[A-Z]+[a-z0-9]*-*([A-Z]+[a-z0-9]*-*)*$/',
match: '/^[A-Z][A-Za-z0-9]*(?:-[A-Z][A-Za-z0-9]*)*$/',
},

// Define an alternate message for the header pattern validation
Expand Down
2 changes: 1 addition & 1 deletion packages/ruleset/src/rules/schema-casing-convention.js
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ module.exports = {
then: {
function: schemaCasingConvention,
functionOptions: {
match: '/^[A-Z]+[a-z0-9]+([A-Z]+[a-z0-9]*)*$/',
match: '/^[A-Z](?:[A-Z]*[a-z0-9]+)+$/',
},
},
};
31 changes: 31 additions & 0 deletions packages/ruleset/test/rules/parameter-casing-convention.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,37 @@ describe(`Spectral rule: ${ruleId}`, () => {
const results = await testRule(ruleId, rule, testDocument);
expect(results).toHaveLength(0);
});

it('Should handle potential ReDoS patterns efficiently', async () => {
const testDocument = makeCopy(rootDocument);

// Pattern that would cause catastrophic backtracking in old regex
// Old pattern: /^[A-Z]+[a-z0-9]*-*([A-Z]+[a-z0-9]*-*)*$/
// This input would cause exponential time complexity
const maliciousHeader = 'A' + 'A-'.repeat(50);

testDocument.paths['/v1/movies'].get.parameters.push({
description: 'Header with ReDoS attack pattern',
name: maliciousHeader,
required: false,
in: 'header',
schema: {
type: 'string',
},
});

const startTime = Date.now();
const results = await testRule(ruleId, rule, testDocument);
const duration = Date.now() - startTime;

// Should complete quickly (well under 500ms) with fixed regex
// Note: Includes test overhead; actual regex execution is much faster
expect(duration).toBeLessThan(500);
// Should still validate correctly and reject the malformed header
expect(results).toHaveLength(1);
expect(results[0].code).toBe(ruleId);
expect(results[0].message).toBe(expectedMsgHeader);
});
});

describe('Should yield errors', () => {
Expand Down
27 changes: 27 additions & 0 deletions packages/ruleset/test/rules/schema-casing-convention.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,33 @@ describe(`Spectral rule: ${ruleId}`, () => {
const results = await testRule(ruleId, rule, testDocument);
expect(results).toHaveLength(0);
});

it('Should handle potential ReDoS patterns efficiently', async () => {
const testDocument = makeCopy(rootDocument);

// Pattern that would cause catastrophic backtracking in old regex
// Old pattern: /^[A-Z]+[a-z0-9]+([A-Z]+[a-z0-9]*)*$/
// This input would cause exponential time complexity
const maliciousSchemaName = 'A' + 'Aa'.repeat(50);

testDocument.components.schemas[maliciousSchemaName] = {
type: 'object',
properties: {
id: { type: 'string' },
},
};

const startTime = Date.now();
const results = await testRule(ruleId, rule, testDocument);
const duration = Date.now() - startTime;

// Should complete quickly (well under 500ms) with fixed regex
// Note: Includes test overhead; actual regex execution is much faster
expect(duration).toBeLessThan(500);
// Should still validate correctly - this pattern should actually pass
// as it matches the upper camel case pattern
expect(results).toHaveLength(0);
});
});

describe('Should yield errors', () => {
Expand Down
Loading