escape internal REs (#8857)

arangod/Aql/RegexCache.cpp

@@ -23,29 +23,16 @@
 
 #include "RegexCache.h"
 #include "Basics/Utf8Helper.h"
+#include <Basics/StringUtils.h>
 
 #include <velocypack/Collection.h>
 #include <velocypack/Dumper.h>
 #include <velocypack/Iterator.h>
 #include <velocypack/velocypack-aliases.h>
 
+
 using namespace arangodb::aql;
 
-namespace {
-
-static void escapeRegexParams(std::string& out, const char* ptr, size_t length) {
-  for (size_t i = 0; i < length; ++i) {
-    char const c = ptr[i];
-    if (c == '?' || c == '+' || c == '[' || c == '(' || c == ')' || c == '{' || c == '}' ||
-        c == '^' || c == '$' || c == '|' || c == '.' || c == '*' || c == '\\') {
-      // character with special meaning in a regex
-      out.push_back('\\');
-    }
-    out.push_back(c);
-  }
-}
-
-}  // namespace
 
 RegexCache::~RegexCache() { clear(); }
 
@@ -89,12 +76,12 @@ icu::RegexMatcher* RegexCache::buildSplitMatcher(AqlValue const& splitExpression
 
       arangodb::velocypack::ValueLength length;
       char const* str = it.getString(length);
-      ::escapeRegexParams(rx, str, length);
+      basics::StringUtils::escapeRegexParams(rx, str, length);
     }
   } else if (splitExpression.isString()) {
     arangodb::velocypack::ValueLength length;
     char const* str = slice.getString(length);
-    ::escapeRegexParams(rx, str, length);
+    basics::StringUtils::escapeRegexParams(rx, str, length);
     if (rx.empty()) {
       isEmptyExpression = true;
     }

lib/ApplicationFeatures/V8SecurityFeature.cpp

@@ -278,7 +278,7 @@ void V8SecurityFeature::start() {
       std::regex(_filesWhitelist, std::regex::nosubs | std::regex::ECMAScript);
 }
 
-void V8SecurityFeature::addToInternalWhitelist(std::string const& item, FSAccessType type) {
+void V8SecurityFeature::addToInternalWhitelist(std::string const& inItem, FSAccessType type) {
   // This function is not efficient and we would not need the _readWhitelist
   // to be persistent. But the persistence will help in debugging and
   // there are only a few items expected.
@@ -292,6 +292,8 @@ void V8SecurityFeature::addToInternalWhitelist(std::string const& item, FSAccess
     re = &_writeWhitelistRegex;
   }
 
+
+  auto item = arangodb::basics::StringUtils::escapeRegexParams(inItem);
   auto path = "^" + canonicalpath(item) + TRI_DIR_SEPARATOR_STR;
   set->emplace(std::move(path));
   expression->clear();

lib/Basics/StringUtils.cpp

@@ -2165,6 +2165,24 @@ bool gzipDeflate(std::string const& compressed, std::string& uncompressed) {
   return gzipDeflate(compressed.c_str(), compressed.size(), uncompressed);
 }
 
+void escapeRegexParams(std::string& out, const char* ptr, size_t length) {
+  for (size_t i = 0; i < length; ++i) {
+    char const c = ptr[i];
+    if (c == '?' || c == '+' || c == '[' || c == '(' || c == ')' || c == '{' || c == '}' ||
+        c == '^' || c == '$' || c == '|' || c == '.' || c == '*' || c == '\\') {
+      // character with special meaning in a regex
+      out.push_back('\\');
+    }
+    out.push_back(c);
+  }
+}
+
+std::string escapeRegexParams(std::string const& in) {
+  std::string out;
+  escapeRegexParams(out, in.data(), in.size());
+  return out;
+}
+
 }  // namespace StringUtils
 }  // namespace basics
 }  // namespace arangodb

lib/Basics/StringUtils.h

@@ -390,6 +390,10 @@ bool gzipUncompress(std::string const& compressed, std::string& uncompressed);
 bool gzipDeflate(char const* compressed, size_t compressedLength, std::string& uncompressed);
 
 bool gzipDeflate(std::string const& compressed, std::string& uncompressed);
+
+void escapeRegexParams(std::string& out, const char* ptr, size_t length);
+std::string escapeRegexParams(std::string const& in);
+
 }  // namespace StringUtils
 }  // namespace basics
 }  // namespace arangodb