From 6a13e9785d98e0a19b18874af6fac587442a419c Mon Sep 17 00:00:00 2001 From: Dima Birenbaum Date: Mon, 13 Apr 2026 09:35:17 +0300 Subject: [PATCH] fix(security): resolve ReDoS in image name validation regex --- lib/v2/defender-helpers.js | 2 +- src/v2/defender-helpers.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/v2/defender-helpers.js b/lib/v2/defender-helpers.js index e31b7c96..f736eaf8 100644 --- a/lib/v2/defender-helpers.js +++ b/lib/v2/defender-helpers.js @@ -120,7 +120,7 @@ function validateImageName(imageName) { throw new Error('Image name cannot be empty for image scan'); } const trimmedImageName = imageName.trim(); - const imageNameRegex = /^(?:(?:[a-zA-Z0-9._-]+(?:\.[a-zA-Z0-9._-]+)*(?::[0-9]+)?\/)?[a-zA-Z0-9._-]+(?:\/[a-zA-Z0-9._-]+)*)(?::[a-zA-Z0-9._-]+|@sha256:[a-fA-F0-9]{64})?$/; + const imageNameRegex = /^(?:(?:[a-zA-Z0-9_-]+(?:\.[a-zA-Z0-9_-]+)*(?::[0-9]+)?\/)?[a-zA-Z0-9._-]+(?:\/[a-zA-Z0-9._-]+)*)(?::[a-zA-Z0-9._-]+|@sha256:[a-fA-F0-9]{64})?$/; if (!imageNameRegex.test(trimmedImageName)) { throw new Error(`Invalid image name format: ${trimmedImageName}. Image name should follow container image naming conventions.`); } diff --git a/src/v2/defender-helpers.ts b/src/v2/defender-helpers.ts index f230586e..d236c972 100644 --- a/src/v2/defender-helpers.ts +++ b/src/v2/defender-helpers.ts @@ -136,7 +136,7 @@ export function validateImageName(imageName: string): string { const trimmedImageName = imageName.trim(); - const imageNameRegex = /^(?:(?:[a-zA-Z0-9._-]+(?:\.[a-zA-Z0-9._-]+)*(?::[0-9]+)?\/)?[a-zA-Z0-9._-]+(?:\/[a-zA-Z0-9._-]+)*)(?::[a-zA-Z0-9._-]+|@sha256:[a-fA-F0-9]{64})?$/; + const imageNameRegex = /^(?:(?:[a-zA-Z0-9_-]+(?:\.[a-zA-Z0-9_-]+)*(?::[0-9]+)?\/)?[a-zA-Z0-9._-]+(?:\/[a-zA-Z0-9._-]+)*)(?::[a-zA-Z0-9._-]+|@sha256:[a-fA-F0-9]{64})?$/; if (!imageNameRegex.test(trimmedImageName)) { throw new Error(`Invalid image name format: ${trimmedImageName}. Image name should follow container image naming conventions.`);