From 9f4a814fcef9740fb550c3c913945996c3a31751 Mon Sep 17 00:00:00 2001
From: Michael Bromley <michael@michaelbromley.co.uk>
Date: Wed, 18 Sep 2024 14:17:29 +0200
Subject: [PATCH] fix(core): Prevent theoretical polynomial regex attack

https://github.com/vendure-ecommerce/vendure/security/code-scanning/43
---
 packages/core/src/common/utils.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/packages/core/src/common/utils.ts b/packages/core/src/common/utils.ts
index 3c9d02889c..7d5aab546d 100644
--- a/packages/core/src/common/utils.ts
+++ b/packages/core/src/common/utils.ts
@@ -76,6 +76,11 @@ export function normalizeEmailAddress(input: string): string {
  * identifiers for other authentication methods.
  */
 export function isEmailAddressLike(input: string): boolean {
+    if (input.length > 1000) {
+        // This limit is in place to prevent abuse via a polynomial-time regex attack
+        // See https://github.com/vendure-ecommerce/vendure/security/code-scanning/43
+        throw new Error('Input too long');
+    }
     return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(input.trim());
 }