refactor: separate config service from jail config service

- Split config_service.py into config_service.py and jail_config_service.py - Update Docs/Tasks.md, Security.md, TROUBLESHOOTING.md
2026-05-03 01:05:18 +02:00
parent 881cfbdd71
commit 7ad885d276
5 changed files with 101 additions and 57 deletions
--- a/backend/app/services/config_service.py
+++ b/backend/app/services/config_service.py
@@ -98,17 +98,26 @@ async def _safe_get_typed[T](


 def _validate_regex(pattern: str) -> str | None:
-    """Try to compile *pattern* and return an error message if invalid.
+    """Validate *pattern* for syntax correctness and ReDoS vulnerabilities.

    Args:
        pattern: A regex pattern string to validate.

    Returns:
-        ``None`` if valid, or an error message string if the pattern is broken.
+        ``None`` if valid, or an error message string if the pattern is broken
+        or detected as a ReDoS vulnerability.
    """
+    from app.utils.regex_validator import (
+        ReDoSDetectedError,
+        RegexTimeoutError,
+        validate_regex_pattern,
+    )
+
    try:
-        re.compile(pattern)
+        validate_regex_pattern(pattern)
        return None
+    except (ReDoSDetectedError, RegexTimeoutError) as exc:
+        return str(exc)
    except re.error as exc:
        return str(exc)

--- a/backend/app/services/jail_config_service.py
+++ b/backend/app/services/jail_config_service.py
@@ -20,6 +20,7 @@ import structlog

 from app.exceptions import (
    ConfigWriteError,
+    FilterInvalidRegexError,
    JailAlreadyActiveError,
    JailAlreadyInactiveError,
    JailNotFoundError,
@@ -241,20 +242,27 @@ def _restore_local_file_sync(local_path: Path, original_content: bytes | None) -


 def _validate_regex_patterns(patterns: list[str]) -> None:
-    """Validate each pattern in *patterns* using Python's ``re`` module.
+    """Validate each pattern in *patterns*, checking for ReDoS vulnerabilities.

    Args:
        patterns: List of regex strings to validate.

    Raises:
-        FilterInvalidRegexError: If any pattern fails to compile.
+        FilterInvalidRegexError: If any pattern fails validation or is detected
+            as a ReDoS vulnerability.
    """
+    from app.utils.regex_validator import (
+        ReDoSDetectedError,
+        RegexTimeoutError,
+        validate_regex_pattern,
+    )
+
    for pattern in patterns:
        try:
-            re.compile(pattern)
+            validate_regex_pattern(pattern)
+        except (ReDoSDetectedError, RegexTimeoutError) as exc:
+            raise FilterInvalidRegexError(pattern, str(exc)) from exc
        except re.error as exc:
-            # Import here to avoid circular dependency
-            from app.exceptions import FilterInvalidRegexError
            raise FilterInvalidRegexError(pattern, str(exc)) from exc