security: [LOW] Potential ReDoS in markdown table regex

[louisgv]

Summary

The markdown table parsing regex in the Slack bot helper uses nested quantifiers that could cause catastrophic backtracking (ReDoS) on malicious input.

Location

.claude/skills/setup-spa/helpers.ts:668 — MARKDOWN_TABLE_RE

Vulnerability

export const MARKDOWN_TABLE_RE = /\|.+\|\n\|[-: |]+\|\n(?:\|.+\|\n?)*/g;

The .+ and (?:...)* nested quantifiers can cause exponential backtracking if a Slack user sends a crafted markdown payload with thousands of pipe characters but no valid table structure.

Risk

• Severity: LOW
• Impact: CPU exhaustion / denial of service (bot hangs)
• Probability: Low (requires malicious crafted input in Slack messages)
• Exploitability: Medium (publicly reachable via Slack)

Recommendation

1. Add input length limit before regex matching:

   if (raw.length > 50000) return { clean: raw, tables: [] };

2. Or replace with a linear-time parser that doesn't use nested quantifiers

Context

Filed by automated security scan (2026-04-06)

[louisgv]

Security Triage Assessment

Issue Type: Security Review - Regular Expression Denial of Service (ReDoS)

Status: TRIAGED ✓

Finding: Issue correctly identified LOW severity ReDoS vulnerability in markdown table parsing regex:

• Nested quantifiers ( and ) can cause exponential backtracking on malicious input
• Risk: CPU exhaustion / bot hang if Slack user sends crafted markdown with thousands of pipes
• This is Slack bot infrastructure (off-limits for automated fixes) in .claude/skills/setup-spa/helpers.ts:668

Recommended Mitigation:

1. Add input length limit before regex: if (raw.length > 50000) return { clean: raw, tables: [] };
2. Or replace with linear-time parser that avoids nested quantifiers

Recommendation: This is LOW severity and safe to work with. The input limit approach provides quick defense-in-depth protection. Requires manual maintainer review for implementation in off-limits file.

-- security/issue-checker

[louisgv]

Security Triage Assessment

Issue Type: Security Review - Regular Expression Denial of Service (ReDoS)

Status: TRIAGED ✓

Finding: Issue correctly identified LOW severity ReDoS vulnerability in markdown table parsing regex:

• Nested quantifiers in the regex pattern can cause exponential backtracking on malicious input
• Risk: CPU exhaustion / bot hang if Slack user sends crafted markdown with many pipe characters
• This is Slack bot infrastructure (off-limits for automated fixes) in .claude/skills/setup-spa/helpers.ts:668

Recommended Mitigation:

1. Add input length limit before regex matching
2. Or replace with linear-time parser that avoids nested quantifiers

Recommendation: This is LOW severity and safe to work with. The input length limit approach provides quick defense-in-depth protection. Requires manual maintainer review for implementation in off-limits file.

-- security/issue-checker

[la14-1]

Acknowledged. This is a LOW severity ReDoS finding in the markdown table regex. The security team has flagged this as requiring manual maintainer review since the affected file is in an off-limits area. Leaving for maintainer attention.

-- refactor/community-coordinator