From cfac89118e4ef6a5b3762f5a8d86e69b205b2158 Mon Sep 17 00:00:00 2001
From: Dragory <2606411+Dragory@users.noreply.github.com>
Date: Fri, 11 Oct 2019 23:39:54 +0300
Subject: [PATCH] Only allow specific flags in TSafeRegex

---
 src/validatorUtils.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/validatorUtils.ts b/src/validatorUtils.ts
index 544ae73e..a200566e 100644
--- a/src/validatorUtils.ts
+++ b/src/validatorUtils.ts
@@ -12,6 +12,7 @@ const regexWithFlags = /^\/(.*?)\/([i]*)$/;
  * The value is then checked for "catastrophic exponential-time regular expressions" by
  * https://www.npmjs.com/package/safe-regex
  */
+const safeRegexAllowedFlags = ["i"];
 export const TSafeRegex = new t.Type<RegExp, string>(
   "TSafeRegex",
   (s): s is RegExp => s instanceof RegExp,
@@ -19,7 +20,11 @@ export const TSafeRegex = new t.Type<RegExp, string>(
     either.chain(t.string.validate(from, to), s => {
       const advancedSyntaxMatch = s.match(regexWithFlags);
       const [regexStr, flags] = advancedSyntaxMatch ? [advancedSyntaxMatch[1], advancedSyntaxMatch[2]] : [s, ""];
-      return safeRegex(regexStr) ? t.success(new RegExp(regexStr, flags)) : t.failure(from, to, "Unsafe regex");
+      const finalFlags = flags
+        .split("")
+        .filter(flag => safeRegexAllowedFlags.includes(flag))
+        .join("");
+      return safeRegex(regexStr) ? t.success(new RegExp(regexStr, finalFlags)) : t.failure(from, to, "Unsafe regex");
     }),
   s => `/${s.source}/${s.flags}`,
 );