Skip to content

fix(auto-triage): avoid regex backtracking in classification parser#3927

Merged
RSO merged 3 commits into
mainfrom
flawless-beryllium
Jun 11, 2026
Merged

fix(auto-triage): avoid regex backtracking in classification parser#3927
RSO merged 3 commits into
mainfrom
flawless-beryllium

Conversation

@RSO

@RSO RSO commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replace the classification parser's markdown code-fence regex with a linear scanner.
  • Preserve parsing support for bare, json, and JSON fenced blocks while avoiding CodeQL's polynomial ReDoS risk.

Verification

N/A

Visual Changes

N/A

Reviewer Notes

  • Addresses CodeQL alert 421 for js/polynomial-redos in services/auto-triage-infra/src/parsers/classification-parser.ts.
  • Automated checks run locally: pnpm format, pnpm --filter kilo-auto-triage-worker typecheck, pnpm --filter kilo-auto-triage-worker lint.
  • Autoreview was attempted twice with ~/.kilocode/skills/autoreview/scripts/autoreview --mode local, but the helper failed before reviewing with kilo engine failed (1): Error: Session not found.

@kilo-code-bot

kilo-code-bot Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 0
SUGGESTION 1
Issue Details (click to expand)

SUGGESTION

File Line Issue
services/auto-triage-infra/src/parsers/classification-parser.ts 115–116 Stale comment references the now-removed regex
Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
services/auto-triage-infra/src/parsers/classification-parser.ts 115–116 Comment reads _"The regex with lazy quantifier can miss the final block in very large texts with many markers, so search backwards from the end instead."_ — the regex it refers to was just removed by this PR. The fallback logic itself (backward tail search) remains useful as a belt-and-suspenders catch for malformed or nested fences, but the stated rationale is now misleading. Consider updating the comment to explain the actual remaining risk (e.g. nested/embedded inside block content).
Correctness notes

The core fix is sound:

  • The [\.s\S]*? lazy quantifier that drove the polynomial ReDoS is correctly eliminated.
  • fenceInfo.trim() handles \r\n line endings for the opening fence — no regression there.
  • The blockEnd guard when closingFence === 0 is harmless (text[-1] returns undefined, condition is false).
  • Embedded triple-backticks in JSON string values could still cause an early close, but JSON.parse would fail and the parser moves on — same behaviour as the original regex.
Files Reviewed (1 file)
  • services/auto-triage-infra/src/parsers/classification-parser.ts — 1 observation (stale comment, not in diff)

Fix these issues in Kilo Cloud

Reviewed by claude-sonnet-4.6 · 191,618 tokens

Review guidance: REVIEW.md from base branch main

@RSO RSO merged commit 5e422ff into main Jun 11, 2026
15 checks passed
@RSO RSO deleted the flawless-beryllium branch June 11, 2026 06:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pandemicsyn pandemicsyn pandemicsyn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RSO @pandemicsyn