fix(security): harden regex compilation for filters and redaction

2026-05-11 13:51:41 +00:00 · 2026-02-23 23:54:46 +00:00
parent e6484cb65f
commit a2dfe9879f
8 changed files with 238 additions and 16 deletions
--- a/src/discord/monitor/exec-approvals.ts
+++ b/src/discord/monitor/exec-approvals.ts
@@ -24,6 +24,7 @@ import type {
 import { logDebug, logError } from "../../logger.js";
 import { normalizeAccountId, resolveAgentIdFromSessionKey } from "../../routing/session-key.js";
 import type { RuntimeEnv } from "../../runtime.js";
+import { compileSafeRegex } from "../../security/safe-regex.js";
 import {
  GATEWAY_CLIENT_MODES,
  GATEWAY_CLIENT_NAMES,
@@ -364,11 +365,11 @@ export class DiscordExecApprovalHandler {
        return false;
      }
      const matches = config.sessionFilter.some((p) => {
-        try {
-          return session.includes(p) || new RegExp(p).test(session);
-        } catch {
-          return session.includes(p);
+        if (session.includes(p)) {
+          return true;
        }
+        const regex = compileSafeRegex(p);
+        return regex ? regex.test(session) : false;
      });
      if (!matches) {
        return false;