Skip to content

fix: escape input.id before regex construction to prevent ReDoS#9370

Open
karan68 wants to merge 1 commit intomicrosoft:mainfrom
karan68:fix/redos-input-id-regex-escape
Open

fix: escape input.id before regex construction to prevent ReDoS#9370
karan68 wants to merge 1 commit intomicrosoft:mainfrom
karan68:fix/redos-input-id-regex-escape

Conversation

@karan68
Copy link
Copy Markdown

@karan68 karan68 commented May 8, 2026

Summary
Escape regex metacharacters in input.id before injecting it into a RegExp constructor in StringWithSubstitutions.getReferencedInputs() (shared.ts line 87).

Problem
input.id from untrusted card JSON is concatenated directly into new RegExp() without escaping. A crafted id like (a+)+ causes catastrophic backtracking when the regex is executed against URL templates containing near-match patterns.

Affected code path: HttpAction.internalGetReferencedInputs() -> StringWithSubstitutions.getReferencedInputs()

Standard actions (Action.Submit, Action.Execute, Action.OpenUrl) use different code paths and are NOT affected.

Fix
Added escapeRegExp() inline to sanitize input.id before regex construction. This escapes all regex metacharacters: . * + ? ^ $ { } ( ) | [ ] \

Verification

  • Normal input IDs (e.g. userName) still match {{userName.value}} correctly
  • Malicious IDs (e.g. (a+)+) neutralized: 0ms vs 13,350ms with 28 chars
  • All 28 existing jest tests pass
  • TypeScript compilation clean
  • Webpack build succeeds

Reproduction
Parse a card with "id": "(a+)+" on an Input element and "type": "Action.Http" with URL {{aaa...28 chars...XXXXX}}, then click the action button. Browser freezes for 13+ seconds without this fix.

@karanyadavmicrosoft
fix: escape input.id before regex construction in StringWithSubstitut…
f19fa4b 
…ions.getReferencedInputs

Escape regex metacharacters in input.id before injecting it into a RegExp
constructor in shared.ts. Without escaping, a crafted input.id like '(a+)+'
causes catastrophic backtracking (ReDoS) when matched against URL templates
containing near-match patterns.

Affected code path: Action.Http -> StringWithSubstitutions.getReferencedInputs()
Standard actions (Submit, Execute, OpenUrl) are NOT affected as they use
different code paths that don't call this method.

Verified:
- Normal input IDs still match correctly (e.g. 'userName' matches {{userName.value}})
- Malicious IDs neutralized (0ms vs 13,350ms with 28 chars)
- All 28 existing jest tests pass
- TypeScript compilation and webpack build succeed
@karan68 karan68 requested review from a team, jwoo-msft and paulcam206 May 8, 2026 12:03
@karan68 karan68 mentioned this pull request May 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jwoo-msft jwoo-msft Awaiting requested review from jwoo-msft jwoo-msft is a code owner automatically assigned from microsoft/adaptive-cards-dev-team

@paulcam206 paulcam206 Awaiting requested review from paulcam206 paulcam206 is a code owner automatically assigned from microsoft/adaptive-cards-dev-team

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karan68 @karanyadavmicrosoft