knacky/mimic-big
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(backend): make google-re2 a hard dependency, drop re fallback (B1)

Browse Source 
Code-review BLOCKER B1. Reaffirms D-011: a `re` stdlib fallback defeats the
OPSEC-safe-regex guarantee because hostile C2 output can trigger catastrophic
backtracking. The `[:1MB]` slice cap does not mitigate that — re-evaluating
a malicious pattern over 1 MB of attacker-controlled text is still a worker
freeze.

- `mimic.templating.filters` now imports `re2` unconditionally and raises
  `RuntimeError` at module load if the binding is absent. No `re` import,
  no `_HAS_RE2` branch, no `_FALLBACK_MAX_INPUT`.
- `pyproject.toml` already pinned `google-re2 >= 1.1, < 2.0`; this commit
  hardens the import path to actually enforce it.
- New test `test_re2_is_required` asserts the binding is wired in.
This commit is contained in:
knacky
2026-05-22 05:23:47 +02:00
parent adab8a58e7
commit 90f8141cfc
4 changed files with 25 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
backend/pyproject.toml
View File

@@ -30,6 +30,7 @@ dependencies = [
"click>=8.1,<9.0",
"gevent>=24.2,<25.0",
"gevent-websocket>=0.10,<1.0",
"gunicorn>=22.0,<24.0",
"httpx>=0.27,<1.0",
"weasyprint>=61.0,<62.0",
"authlib>=1.3,<2.0",