Improve regex error messages to surface pattern in output#85
Improve regex error messages to surface pattern in output#85
Conversation
Wrap regexp compile errors to include the full pattern string, making it easy to identify which directive failed and audit patterns in PR reviews. Update existing tests and add new cases covering the improved error format, missing-slashes validation, and a valid-pattern regression. Add a security note to the package godoc. Closes #83
|
Closing this — the original security analysis was wrong. The issue assumed an attacker who can write to the markdown file but cannot read the source files being embedded. That combination is implausible: anyone with write access to the repo's docs almost certainly has read access to the source too. If they can edit the markdown they can just copy the file contents directly — no regex tricks needed. The "error message leaks path information" finding is even weaker: the path in the error comes from the directive the attacker wrote themselves, so it tells them nothing they don't already know. The only scenario where controlling embed directives would be a genuine privilege escalation is if The improved error messages (including the pattern in the output) are still useful for debugging, so that commit can stay — but it's a usability improvement, not a security fix. |
1 participant
Summary
regexp.CompilePOSIXerrors to include the full pattern string (e.g.invalid regexp /(/: error parsing regexp: ...), making it straightforward to identify which embed directive failed and to audit patterns in PR reviews.TestExtractcases: invalid regexp shows pattern in error, missing slashes reports value, and a valid-pattern regression test.Test plan
go test ./...passes with all existing and new test cases.Closes #83