fix: escape string literals in scanDiff for regEx based search

kriswest · kriswest · commit 15f89994888d · 2025-10-16T10:51:35.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -269,3 +269,4 @@ website/.docusaurus
 
 # Jetbrains IDE
 .idea
+.vscode/settings.json
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -55,6 +55,7 @@
     "cors": "^2.8.5",
     "diff2html": "^3.4.52",
     "env-paths": "^3.0.0",
+    "escape-string-regexp": "^5.0.0",
     "express": "^4.21.2",
     "express-http-proxy": "^2.1.2",
     "express-rate-limit": "^8.1.0",
@@ -101,8 +102,8 @@
     "@types/node": "^22.18.10",
     "@types/react-dom": "^17.0.26",
     "@types/react-html-parser": "^2.0.7",
-    "@types/validator": "^13.15.3",
     "@types/sinon": "^17.0.4",
+    "@types/validator": "^13.15.3",
     "@types/yargs": "^17.0.33",
     "@vitejs/plugin-react": "^4.7.0",
     "chai": "^4.5.0",
diff --git a/src/proxy/processors/push-action/scanDiff.ts b/src/proxy/processors/push-action/scanDiff.ts
@@ -1,6 +1,7 @@
 import { Action, Step } from '../../actions';
 import { getCommitConfig, getPrivateOrganizations } from '../../../config';
 import parseDiff, { File } from 'parse-diff';
+import escapeStringRegexp from 'escape-string-regexp';
 
 const commitConfig = getCommitConfig();
 const privateOrganizations = getPrivateOrganizations();
@@ -75,10 +76,11 @@ const combineMatches = (organization: string) => {
       : Object.entries(commitConfig?.diff?.block?.providers ?? []);
 
   // Combine all matches (literals, patterns)
+
   const combinedMatches = [
     ...blockedLiterals.map((literal) => ({
       type: BLOCK_TYPE.LITERAL,
-      match: new RegExp(literal, 'gi'),
+      match: new RegExp(escapeStringRegexp(literal), 'gi'), //TODO: swap out escapeStringRegexp() for RegExp.escape() when we require node 24
     })),
     ...blockedPatterns.map((pattern) => ({
       type: BLOCK_TYPE.PATTERN,
diff --git a/test/processors/scanDiff.test.js b/test/processors/scanDiff.test.js
@@ -53,14 +53,15 @@ index 8b97e49..de18d43 100644
  Project to test gitproxy
 +AKIAIOSFODNN7EXAMPLE
 +AKIAIOSFODNN8EXAMPLE
-+blockedTestLiteral
++emdedded_blocked.Te$t.Literal?
 `;
 };
 describe('Scan commit diff...', async () => {
   privateOrganizations[0] = 'private-org-test';
   commitConfig.diff = {
     block: {
-      literals: ['blockedTestLiteral'],
+      //n.b. the example literal includes special chars that would be interpreted as RegEx if not escaped properly
+      literals: ['blocked.Te$t.Literal?'],
       patterns: [],
       providers: {
         'AWS (Amazon Web Services) Access Key ID':

Original file line number	Diff line number	Diff line change
`@@ -269,3 +269,4 @@ website/.docusaurus`
`269`	`269`
`270`	`270`	`# Jetbrains IDE`
`271`	`271`	`.idea`
	`272`	`+.vscode/settings.json`