fix: vulnerable to polynomial runtime due to backtracking

halber · halber · commit 7700cbb4ddc4 · 2025-10-30T08:24:05.000+01:00
diff --git a/src/main/java/io/neonbee/endpoint/odatav4/ODataProxyEndpointHandler.java b/src/main/java/io/neonbee/endpoint/odatav4/ODataProxyEndpointHandler.java
@@ -31,7 +31,7 @@ public final class ODataProxyEndpointHandler implements Handler<RoutingContext>
 
     // Regex to find last path segment
     private static final Pattern ENTITY_NAME_PATTERN =
-            Pattern.compile("/(\\w+)(?:\\(.*\\))?(?:/(\\w+))?$");
+            Pattern.compile("/(\\w+)(?:\\([^)]*\\))?(?:/(\\w+))?$");
 
     private final ServiceMetadata serviceMetadata;
 
diff --git a/src/main/java/io/neonbee/entity/AbstractEntityVerticle.java b/src/main/java/io/neonbee/entity/AbstractEntityVerticle.java
@@ -95,8 +95,8 @@ public abstract class AbstractEntityVerticle<T> extends DataVerticle<T> {
      * </pre>
      */
     @VisibleForTesting
-    static final Pattern URI_PATH_PATTERN =
-            Pattern.compile("^/*((?:(.*)\\.)?(.*?))/(([A-Za-z_]\\w+).*?)(?:(?<=\\))/(.*))?$");
+    static final Pattern URI_PATH_PATTERN = Pattern.compile(
+            "^/*(?<serviceNamespace>(?:(?<cdsNamespace>[^/]+(?:/[^/]+)*)\\.)?(?<cdsServiceName>[^/\\.]+))/(?<entityPath>(?<entitySetName>[A-Za-z_]\\w*)(?:[^/]*))(?:/(?<entityPropertyName>.*))?$");
 
     private static final LoggingFacade LOGGER = LoggingFacade.create();
 
