Skip to content

fix(clerk-js): Incomplete string escaping or encoding within password complexity #5786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(clerk-js): Incomplete string escaping or encoding within password complexity #5786

wants to merge 2 commits into from
+7 −2

Conversation

alexcarpenter
Copy link
Member

Potential fix for https://github.com/clerk/javascript/security/code-scanning/6

To fix the issue, we need to ensure that all occurrences of ] in the allowed_special_characters string are escaped. This can be achieved by using a regular expression with the global (g) flag in the replace method. Similarly, the same approach should be applied to the [ character for consistency and correctness.

The updated code will replace:

escaped = escaped.replace(']', '\\]');

with:

escaped = escaped.replace(/\]/g, '\\]');

Additionally, the replacement for [ should also use a regular expression with the g flag:

escaped = escaped.replace(/\[/g, '\\[');

This ensures that all occurrences of both [ and ] are escaped.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@alexcarpenter @github-advanced-security
Potential fix for code scanning alert no. 6: Incomplete string escapi…
34b28c8 
…ng or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented May 1, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 50476de

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/clerk-expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel Vercel
Copy link

vercel bot commented May 1, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
clerk-js-sandbox ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 1, 2025 6:28pm

@alexcarpenter alexcarpenter changed the title Potential fix for code scanning alert no. 6: Incomplete string escaping or encoding fix(clerk-js): Incomplete string escaping or encoding within password complexity May 1, 2025
@alexcarpenter alexcarpenter requested a review from a team May 1, 2025 18:27
@alexcarpenter alexcarpenter marked this pull request as ready for review May 1, 2025 18:27
github-advanced-security[bot]
github-advanced-security bot found potential problems May 1, 2025
View reviewed changes
packages/clerk-js/src/utils/passwords/complexity.ts
@@ -13,8 +13,8 @@
let specialCharsRegex: RegExp;
if (config.allowed_special_characters) {
// Avoid a nested group by escaping the `[]` characters
let escaped = config.allowed_special_characters.replace('[', '\\[');
escaped = escaped.replace(']', '\\]');
let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Copilot Autofix

AI 4 days ago

To fix the issue, we need to ensure that backslashes in the allowed_special_characters string are properly escaped before constructing the regular expression. This can be achieved by adding a replace call to escape backslashes (\) before escaping square brackets ([ and ]). The updated code will replace each backslash with a double backslash (\\), ensuring that the resulting regex is valid and behaves as intended.

The changes will be made in the createTestComplexityCases function, specifically in the block where allowed_special_characters is processed (lines 15–18). No additional imports or dependencies are required.

Suggested changeset 1
packages/clerk-js/src/utils/passwords/complexity.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/clerk-js/src/utils/passwords/complexity.ts b/packages/clerk-js/src/utils/passwords/complexity.ts
--- a/packages/clerk-js/src/utils/passwords/complexity.ts
+++ b/packages/clerk-js/src/utils/passwords/complexity.ts
@@ -14,4 +14,5 @@
   if (config.allowed_special_characters) {
-    // Avoid a nested group by escaping the `[]` characters
-    let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
+    // Avoid a nested group by escaping backslashes and the `[]` characters
+    let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
+    escaped = escaped.replace(/\[/g, '\\[');
     escaped = escaped.replace(/\]/g, '\\]');
EOF
@@ -14,4 +14,5 @@
if (config.allowed_special_characters) {
// Avoid a nested group by escaping the `[]` characters
let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
// Avoid a nested group by escaping backslashes and the `[]` characters
let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
escaped = escaped.replace(/\[/g, '\\[');
escaped = escaped.replace(/\]/g, '\\]');
Copilot is powered by AI and may make mistakes. Always verify output.
packages/clerk-js/src/utils/passwords/complexity.ts
let escaped = config.allowed_special_characters.replace('[', '\\[');
escaped = escaped.replace(']', '\\]');
let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
escaped = escaped.replace(/\]/g, '\\]');

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Copilot Autofix

AI 4 days ago

To fix the issue, we need to ensure that backslashes in the allowed_special_characters string are properly escaped before constructing the regular expression. This can be achieved by adding an additional replace call to escape backslashes (\) before escaping square brackets ([ and ]). The g flag should be used in the regular expression to ensure all occurrences are replaced.

The updated code will:

  1. First escape all backslashes by replacing each \ with \\.
  2. Then escape square brackets ([ and ]) as before.

This ensures that the resulting string is safe to use in a regular expression.

Suggested changeset 1
packages/clerk-js/src/utils/passwords/complexity.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/clerk-js/src/utils/passwords/complexity.ts b/packages/clerk-js/src/utils/passwords/complexity.ts
--- a/packages/clerk-js/src/utils/passwords/complexity.ts
+++ b/packages/clerk-js/src/utils/passwords/complexity.ts
@@ -15,3 +15,4 @@
     // Avoid a nested group by escaping the `[]` characters
-    let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
+    let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
+    escaped = escaped.replace(/\[/g, '\\[');
     escaped = escaped.replace(/\]/g, '\\]');
EOF
@@ -15,3 +15,4 @@
// Avoid a nested group by escaping the `[]` characters
let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
escaped = escaped.replace(/\[/g, '\\[');
escaped = escaped.replace(/\]/g, '\\]');
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
clerk-js
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alexcarpenter @clerk-cookie