Skip to content

docs: add license audit report #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
noelsaw1 wants to merge 1 commit into from
Closed

docs: add license audit report #5

noelsaw1 wants to merge 1 commit into from

Conversation

@noelsaw1
Copy link
Contributor

@noelsaw1 noelsaw1 commented Dec 31, 2025

Summary

  • add AUDIT-LICENSE.md with an assessment of the new contributor licensing model
  • document compatibility between Apache 2.0, the CLA/CCLA inbound rights, and commercial licensing
  • provide prioritized recommendations to improve contributor clarity and compliance tracking

Testing

  • not run (documentation-only change)

Codex Task

noelsaw1 added a commit that referenced this pull request Dec 31, 2025
@noelsaw1
feat: Add HCC-008 security rule for unsafe RegExp construction
b31e3bc 
FEATURE:
Added HCC-008 to detect unsafe RegExp construction with user input

HCC-008: User Input in RegExp Without Escaping
- Detects RegExp constructors that concatenate variables without escaping
- Catches string concatenation: new RegExp('\\b' + query + '\\b')
- Catches template literals: RegExp(`pattern${userInput}`)
- Impact: MEDIUM - Can lead to ReDoS attacks or unexpected regex behavior
- Location: Lines 1465-1474 in check-performance.sh

TESTING:
Created comprehensive test file: /tmp/hcc-008-test/unsafe-regexp.js

Test Results:
✅ Line 7: new RegExp('\\b' + lowerQuery + '\\b', 'i') - CAUGHT (KISS PQS pattern)
✅ Line 13: RegExp(`^${userInput}$`) - CAUGHT (template literal)
✅ Line 19: new RegExp('^' + prefix + '.*' + suffix + '$') - CAUGHT (multiple concat)
✅ Line 25: new RegExp('(' + searchTerm + ')') - CAUGHT (variable concat)
✅ Line 44: new RegExp('\\b' + escaped + '\\b', 'i') - CAUGHT (expected - can't detect escaping)
❌ Line 31: new RegExp('^[a-z]+$', 'i') - NOT CAUGHT (static pattern - correct)
❌ Line 37: /\\b\\w+\\b/gi - NOT CAUGHT (regex literal - correct)

BASED ON:
- AUDIT-2025-12-31.md Issue #5: Unsafe RegExp with raw user input
- Document: 1-INBOX/KISS-PQS-FINDINGS-RULES.md (now marked HCC-008 as COMPLETED)

VALUE:
- Catches the exact KISS Plugin Quick Search vulnerability
- Prevents ReDoS (Regular Expression Denial of Service) attacks
- Flags dynamic regex construction that needs manual review
- Low false positive rate for legitimate use cases

IMPLEMENTATION NOTES:
- Uses single -E pattern with alternation (|) for BSD grep compatibility
- Pattern 1: Detects + operator: RegExp(...) +
- Pattern 2: Detects template literals: RegExp...${
- Scans .js, .jsx, .ts, .tsx, and .php files
- Known limitation: Cannot detect if variables are properly escaped
- Expected false positives: Properly escaped variables will still be flagged

DOCUMENTATION:
- Updated CHANGELOG.md with HCC-008 details
- Updated KISS-PQS-FINDINGS-RULES.md with implementation status and notes
- Added BSD grep compatibility note and known limitations
@noelsaw1 noelsaw1 closed this Jan 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@noelsaw1