fix: prevent stateful RegExp lastIndex leak in scanAndRedactPayload#2574
fix: prevent stateful RegExp lastIndex leak in scanAndRedactPayload#2574tmdeveloper007 wants to merge 3 commits into
Conversation
…e TS type errors The retry-after and ratelimit-reset headers returned by Axios have the type string | number | true | string[] | AxiosHeaders. Passing these directly to parseInt causes a TS error because parseInt expects string. Wrapping with String() coerces the value before parsing. Fixes CI Type Check failures across all fork PRs.
Issue nisshchayarathi#2414: HIGH_CONFIDENCE_SECRETS patterns used the /g flag. When .test() finds a match, it mutates lastIndex to the end of the match. Subsequent calls resume from lastIndex, silently skipping secrets earlier in the payload. This causes secret tokens to potentially reach the AI provider. Fix: (1) Remove the /g flag from all patterns - not needed for .test() which stops at the first match. (2) Explicitly reset lastIndex=0 before each .test() call as defence-in-depth.
|
Someone is attempting to deploy a commit to the Nisshchaya's projects Team on Vercel. A member of the Team first needs to authorize it. |
🎉 Thanks for your contribution, @tmdeveloper007!Your PR has passed our automated GSSoC quality checks. Here's a quick summary:
A maintainer will review your PR soon. Please be patient and available for feedback. 💪 GSSoC'26 automation · Maintainer: @nisshchayarathi |
|
Warning Review limit reached
Next review available in: 38 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@tmdeveloper007 |
🎉 Thanks for your contribution, @tmdeveloper007!Your PR has passed our automated GSSoC quality checks. Here's a quick summary:
A maintainer will review your PR soon. Please be patient and available for feedback. 💪 GSSoC'26 automation · Maintainer: @nisshchayarathi |
- Move completeGraph, filters, expandedNodes declarations before nodeChurnMap useMemo to avoid TypeScript TDZ errors (variable used before declaration) - Import GraphNode and GraphLink from graphAnalyzer to fix type mismatch where local interface conflicted with analyzer return type - Accept string[] instead of Set<string> in getFilteredNodes since useGraphFilters returns arrays not Sets
cc9a8a4 to
cfaf07e
Compare
🎉 Thanks for your contribution, @tmdeveloper007!Your PR has passed our automated GSSoC quality checks. Here's a quick summary:
A maintainer will review your PR soon. Please be patient and available for feedback. 💪 GSSoC'26 automation · Maintainer: @nisshchayarathi |
|
CI green (Type Check, Build, Unit Tests, CodeQL, Lint all passing). Ready to merge. |
|
Hi! CI checks (TypeScript, Lint, CodeQL, etc.) are passing on this PR. The only CI gate showing as failed is the Vercel deployment check ( The code changes are ready for review. Could a maintainer please take a look? Happy to address any feedback. |
Summary
Fixes #2414 - Stateful RegExp lastIndex leak in the AI secret scanner.
Problem:
HIGH_CONFIDENCE_SECRETSpatterns used the/gflag. When.test()finds a match, it setslastIndexto the end of the match. Subsequent calls to.test()on the same pattern object resume fromlastIndex, silently skipping secrets located earlier in future payloads. This can cause secret tokens to reach the AI provider.Fix: (1) Remove the
/gflag from allHIGH_CONFIDENCE_SECRETSpatterns — not needed for.test()which stops at the first match. (2) Explicitly resetlastIndex = 0before each.test()call as defence-in-depth against future pattern changes.Changes:
lib/services/geminiService.ts: Removed/gflag from allHIGH_CONFIDENCE_SECRETSpatterns. Added explicitlastIndex = 0reset before each.test()call.