Fix CodeQL security alerts (#24198)

* Attempt to eliminate polynomial regular expression used on uncontrolled data Closes https://github.com/github/docs-internal/security/code-scanning/112?query=ref%3Arefs%2Fheads%2Fmain Closes https://github.com/github/docs-internal/security/code-scanning/107?query=ref%3Arefs%2Fheads%2Fmain * Attempt to eliminate incomplete multi-character sanitization Closes https://github.com/github/docs-internal/security/code-scanning/113?query=ref%3Arefs%2Fheads%2Fmain * Keep closer to original pattern for now Co-authored-by: Peter Bengtsson <peterbe@github.com> Co-authored-by: Peter Bengtsson <peterbe@github.com>
2022-01-11 15:11:09 -06:00 · 2022-01-11 15:11:09 -06:00 · 23186b969c
--- a/lib/get-liquid-data-references.js
+++ b/lib/get-liquid-data-references.js
@ -4,11 +4,7 @@ import patterns from './patterns.js'

 export default function getLiquidDataReferences(text) {
  return (text.match(patterns.dataReference) || []).map((ref) => {
-    const cleaned = ref
-      .replace(/\.\.\//g, '')
-      .replace('{% data', '')
-      .replace('%}', '')
-      .trim()
+    const cleaned = ref.replace(/\.+\//g, '').replace('{% data', '').replace('%}', '').trim()

    return `site.data.${cleaned}`
  })
--- a/lib/patterns.js
+++ b/lib/patterns.js
@ -16,7 +16,7 @@ export const enterpriseHomepage = /\/enterprise\/?(\d+\.\d+)?$/
 export const desktop = /desktop\//
 export const oldGuidesPath = /(\/admin|(^|\/)desktop)\/guides/
 // need to capture 11.10.340 and 2.0+
-export const getEnterpriseVersionNumber = /^.*?enterprise\/(\d+\.\d+(?:\.340)?).*?$/
+export const getEnterpriseVersionNumber = /enterprise\/(\d+\.\d+(?:\.340)?)/
 export const removeEnterpriseVersion = /(enterprise\/)\d+\.\d+\//
 export const guides = /guides\//
 export const hasLanguageCode = /^\/[a-z]{2}(\/|$|\?)/