Refactor filter configuration with regex validation

- Add regex validation utility for query strings - Update filter_config_service to use regex validation - Add comprehensive test coverage for regex validator - Update exception handling for validation errors - Update documentation for tasks Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-01 18:17:12 +02:00
parent 445c2c5418
commit 60d9c5b340
6 changed files with 367 additions and 41 deletions
--- a/backend/app/services/filter_config_service.py
+++ b/backend/app/services/filter_config_service.py
@@ -21,6 +21,8 @@ from app.exceptions import (
    FilterInvalidRegexError,
    FilterNotFoundError,
    FilterReadonlyError,
+    FilterRegexTimeoutError,
+    FilterRegexTooLongError,
    JailNotFoundInConfigError,
 )
 from app.models.config import (
@@ -45,6 +47,7 @@ from app.utils.config_file_utils import (
    set_jail_local_key_sync,
 )
 from app.utils.jail_socket import reload_all
+from app.utils.regex_validator import RegexTimeoutError, validate_regex_pattern

 log: structlog.stdlib.BoundLogger = structlog.get_logger()

@@ -231,16 +234,30 @@ def _parse_filters_sync(
 def _validate_regex_patterns(patterns: list[str]) -> None:
    """Validate each pattern in *patterns* using Python's ``re`` module.

+    Checks each pattern for:
+    - Length limit (max 1000 characters)
+    - Compilation timeout (2 seconds) to prevent ReDoS attacks
+    - Syntax validity
+
    Args:
        patterns: List of regex strings to validate.

    Raises:
+        FilterRegexTooLongError: If any pattern exceeds 1000 characters.
+        FilterRegexTimeoutError: If compilation times out (possible ReDoS).
        FilterInvalidRegexError: If any pattern fails to compile.
    """
    for pattern in patterns:
        try:
-            re.compile(pattern)
+            validate_regex_pattern(pattern)
+        except ValueError as exc:
+            # Pattern length exceeded
+            raise FilterRegexTooLongError(pattern, max_length=1000) from exc
+        except RegexTimeoutError as exc:
+            # Pattern compilation timed out
+            raise FilterRegexTimeoutError(pattern, timeout_seconds=2) from exc
        except re.error as exc:
+            # Pattern syntax error
            raise FilterInvalidRegexError(pattern, str(exc)) from exc