Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(core): Use absolute string anchors in regex to prevent multi-line validation bypass #18415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(core): Use absolute string anchors in regex to prevent multi-line validation bypass #18415

wants to merge 1 commit into from
+1 −1

Conversation

@odaysec
Copy link

@odaysec odaysec commented Nov 8, 2025
edited
Loading

To correctly validate that the input string represents a valid attribute name and does not allow multi-line bypass, change the regular expression on line 24 to use the absolute string anchors \A and \z instead of the line anchors ^ and $. Specifically, replace /^[_A-Za-z]\w*$/ with /\A[_A-Za-z]\w*\z/. No other modifications or imports are needed, and existing functionality will be preserved. The change should be made only to line 24 in logstash-core/lib/logstash/util/thread_safe_attributes.rb, replacing the vulnerable regex.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files (and/or docker env variables)
  • I have added tests that prove my fix is effective or that my feature works

How to test this PR locally

🎟️Related issues #18414

@github-actions
Copy link
Contributor

github-actions bot commented Nov 8, 2025

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
  • /run exhaustive tests : Run the exhaustive tests Buildkite pipeline.

@mergify
Copy link
Contributor

mergify bot commented Nov 8, 2025

This pull request does not have a backport label. Could you fix it @odaysec? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit.
  • If no backport is necessary, please add the backport-skip label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@poratoes poratoes poratoes approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@odaysec @poratoes