Skip to content

fix(clerk-js): Incomplete string escaping or encoding within password complexity#5786

Closed
alexcarpenter wants to merge 2 commits intomainfrom
alert-autofix-6
Closed

fix(clerk-js): Incomplete string escaping or encoding within password complexity#5786
alexcarpenter wants to merge 2 commits intomainfrom
alert-autofix-6

Conversation

@alexcarpenter
Copy link
Contributor

@alexcarpenter alexcarpenter commented May 1, 2025

Potential fix for https://github.com/clerk/javascript/security/code-scanning/6

To fix the issue, we need to ensure that all occurrences of ] in the allowed_special_characters string are escaped. This can be achieved by using a regular expression with the global (g) flag in the replace method. Similarly, the same approach should be applied to the [ character for consistency and correctness.

The updated code will replace:

escaped = escaped.replace(']', '\\]');

with:

escaped = escaped.replace(/\]/g, '\\]');

Additionally, the replacement for [ should also use a regular expression with the g flag:

escaped = escaped.replace(/\[/g, '\\[');

This ensures that all occurrences of both [ and ] are escaped.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@alexcarpenter @github-advanced-security
Potential fix for code scanning alert no. 6: Incomplete string escapi…
34b28c8 
…ng or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@changeset-bot
Copy link

changeset-bot bot commented May 1, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 50476de

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/clerk-expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented May 1, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
clerk-js-sandbox ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 1, 2025 6:28pm

@alexcarpenter alexcarpenter changed the title Potential fix for code scanning alert no. 6: Incomplete string escaping or encoding fix(clerk-js): Incomplete string escaping or encoding within password complexity May 1, 2025
@alexcarpenter alexcarpenter requested a review from a team May 1, 2025 18:27
@alexcarpenter alexcarpenter marked this pull request as ready for review May 1, 2025 18:27
github-advanced-security[bot]
github-advanced-security bot found potential problems May 1, 2025
View reviewed changes
packages/clerk-js/src/utils/passwords/complexity.ts
// Avoid a nested group by escaping the `[]` characters
let escaped = config.allowed_special_characters.replace('[', '\\[');
escaped = escaped.replace(']', '\\]');
let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Copilot Autofix

AI 11 months ago

To fix the issue, we need to ensure that backslashes in the allowed_special_characters string are properly escaped before constructing the regular expression. This can be achieved by adding a replace call to escape backslashes (\) before escaping square brackets ([ and ]). The updated code will replace each backslash with a double backslash (\\), ensuring that the resulting regex is valid and behaves as intended.

The changes will be made in the createTestComplexityCases function, specifically in the block where allowed_special_characters is processed (lines 15–18). No additional imports or dependencies are required.

Suggested changeset 1
packages/clerk-js/src/utils/passwords/complexity.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/clerk-js/src/utils/passwords/complexity.ts b/packages/clerk-js/src/utils/passwords/complexity.ts
--- a/packages/clerk-js/src/utils/passwords/complexity.ts
+++ b/packages/clerk-js/src/utils/passwords/complexity.ts
@@ -14,4 +14,5 @@
   if (config.allowed_special_characters) {
-    // Avoid a nested group by escaping the `[]` characters
-    let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
+    // Avoid a nested group by escaping backslashes and the `[]` characters
+    let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
+    escaped = escaped.replace(/\[/g, '\\[');
     escaped = escaped.replace(/\]/g, '\\]');
EOF
@@ -14,4 +14,5 @@
if (config.allowed_special_characters) {
// Avoid a nested group by escaping the `[]` characters
let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
// Avoid a nested group by escaping backslashes and the `[]` characters
let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
escaped = escaped.replace(/\[/g, '\\[');
escaped = escaped.replace(/\]/g, '\\]');
Copilot is powered by AI and may make mistakes. Always verify output.
packages/clerk-js/src/utils/passwords/complexity.ts
let escaped = config.allowed_special_characters.replace('[', '\\[');
escaped = escaped.replace(']', '\\]');
let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
escaped = escaped.replace(/\]/g, '\\]');

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Copilot Autofix

AI 11 months ago

To fix the issue, we need to ensure that backslashes in the allowed_special_characters string are properly escaped before constructing the regular expression. This can be achieved by adding an additional replace call to escape backslashes (\) before escaping square brackets ([ and ]). The g flag should be used in the regular expression to ensure all occurrences are replaced.

The updated code will:

  1. First escape all backslashes by replacing each \ with \\.
  2. Then escape square brackets ([ and ]) as before.

This ensures that the resulting string is safe to use in a regular expression.

Suggested changeset 1
packages/clerk-js/src/utils/passwords/complexity.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/clerk-js/src/utils/passwords/complexity.ts b/packages/clerk-js/src/utils/passwords/complexity.ts
--- a/packages/clerk-js/src/utils/passwords/complexity.ts
+++ b/packages/clerk-js/src/utils/passwords/complexity.ts
@@ -15,3 +15,4 @@
     // Avoid a nested group by escaping the `[]` characters
-    let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
+    let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
+    escaped = escaped.replace(/\[/g, '\\[');
     escaped = escaped.replace(/\]/g, '\\]');
EOF
@@ -15,3 +15,4 @@
// Avoid a nested group by escaping the `[]` characters
let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
escaped = escaped.replace(/\[/g, '\\[');
escaped = escaped.replace(/\]/g, '\\]');
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

clerk-js

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexcarpenter @clerk-cookie