From 116aff2f8ec796c44246d8fd1191ddb06e3048a3 Mon Sep 17 00:00:00 2001 From: Gauvino Date: Fri, 5 Jun 2026 13:15:39 +0200 Subject: [PATCH] fix(pr-validation): strip HTML comments via linear scan to satisfy CodeQL Replace the regex-based comment stripper (flagged by CodeQL js/incomplete-multi-character-sanitization, alert #330) with a single linear indexOf scan. Behaviour is identical on complete, unterminated and nested comments, but there is no regex backtracking and no loop-until-stable, so the CodeQL alert clears without reintroducing the CPU-DoS risk. --- scripts/check-pr-template.mjs | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/scripts/check-pr-template.mjs b/scripts/check-pr-template.mjs index eeffb4a0a..f799b41f5 100644 --- a/scripts/check-pr-template.mjs +++ b/scripts/check-pr-template.mjs @@ -29,15 +29,25 @@ try { const association = (process.env.AUTHOR_ASSOCIATION || "").toUpperCase(); const isMaintainer = ["OWNER", "MEMBER", "COLLABORATOR"].includes(association); -// Strip HTML comments in a single linear pass: remove complete `` -// blocks, then drop any leftover unterminated `/g, "") - .replace(/", start + 4); + if (end === -1) break; // unterminated comment: drop the rest + i = end + 3; + } + return out.trim(); +}; // Grab the text under a heading whose title contains `keyword`, up to the next heading // or the end of the body.