fix: Address ReDoS vulnerability in regex patterns

Make auth pattern non-greedy to prevent backtracking attacks. This addresses a code review finding for our new error sanitization. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-24 02:39:17 -05:00 · 2025-09-06 22:13:00 +02:00
parent 55626056b6
commit 63c51e3d31
1 changed files with 1 additions and 1 deletions
--- a/python/src/server/api_routes/knowledge_api.py
+++ b/python/src/server/api_routes/knowledge_api.py
@@ -72,7 +72,7 @@ def _sanitize_openai_error(error_message: str) -> str:
    sanitized_patterns = {
        r'https?://[^\s]+': '[REDACTED_URL]',  # Remove URLs
        r'sk-[a-zA-Z0-9]{48}': '[REDACTED_KEY]',     # Remove API keys (OpenAI format)
-        r'"[^"]*auth[^"]*"': '[REDACTED_AUTH]',     # Remove auth details
+        r'"[^"]*auth[^"]*?"': '[REDACTED_AUTH]',     # Remove auth details (non-greedy)
        r'org-[a-zA-Z0-9]{24}': '[REDACTED_ORG]',   # Remove OpenAI organization IDs
        r'proj_[a-zA-Z0-9]{10,}': '[REDACTED_PROJ]', # Remove OpenAI project IDs (adjusted length)
        r'req_[a-zA-Z0-9]{6,}': '[REDACTED_REQ]',   # Remove OpenAI request IDs (adjusted length)