Skip to content

fix: reject spoofed RegExp objects with non-string source property#222

Merged
okuryu merged 2 commits into
mainfrom
fix/regexp-source-injection
Jun 30, 2026
Merged

fix: reject spoofed RegExp objects with non-string source property#222
okuryu merged 2 commits into
mainfrom
fix/regexp-source-injection

Conversation

@redonkulus

@redonkulus redonkulus commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

A fake RegExp created via Object.create(RegExp.prototype) passes instanceof RegExp but can supply an object as .source. That object survives serialize() as executable JS and runs when the consumer evaluates new RegExp(obj, flags) via toString() coercion. Guard mirrors the existing URL fix: assert typeof source === 'string' and throw TypeError otherwise.

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

A fake RegExp created via Object.create(RegExp.prototype) passes
instanceof RegExp but can supply an object as .source. That object
survives serialize() as executable JS and runs when the consumer
evaluates new RegExp(obj, flags) via toString() coercion. Guard
mirrors the existing URL fix: assert typeof source === 'string'
and throw TypeError otherwise.

Fixes PSECBUGS-112938

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@redonkulus redonkulus requested a review from okuryu June 29, 2026 17:39
Fixes PSECBUGS-108887

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@redonkulus

Copy link
Copy Markdown
Collaborator Author

@okuryu Please merge and release a new patch version when ready.

@okuryu

okuryu commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Sure, I'll try to check on today!

@okuryu okuryu merged commit 5009715 into main Jun 30, 2026
3 checks passed
@okuryu okuryu deleted the fix/regexp-source-injection branch June 30, 2026 12:11
@okuryu

okuryu commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

released v7.0.7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants