From d8c69e87e20e0789c5e44cd8c04b8acdbfeb62fc Mon Sep 17 00:00:00 2001
From: Cody Kickertz <cody.kickertz@pm.me>
Date: Sun, 21 Dec 2025 11:50:11 -0600
Subject: [PATCH] fix(security): add regex timeouts for ReDoS prevention (#97)

Add TimeSpan.FromSeconds(1) timeout to remaining regex patterns:
- FileNameBuilder.cs: EditionOrdinalRegex, EditionUppercaseRegex
- Parser.cs: SlugSpaceRegex, SlugInvalidCharsRegex, SlugDuplicateDefaultRegex

Clears final 5 SonarCloud security hotspots for 100% review coverage

Co-authored-by: admin <admin@ardentleatherworks.com>
---
 src/NzbDrone.Core/Organizer/FileNameBuilder.cs | 4 ++--
 src/NzbDrone.Core/Parser/Parser.cs             | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/NzbDrone.Core/Organizer/FileNameBuilder.cs b/src/NzbDrone.Core/Organizer/FileNameBuilder.cs
index 78ee1df901..291ad9d2b5 100644
--- a/src/NzbDrone.Core/Organizer/FileNameBuilder.cs
+++ b/src/NzbDrone.Core/Organizer/FileNameBuilder.cs
@@ -57,8 +57,8 @@ public class FileNameBuilder : IBuildFileNames
         private static readonly Regex ReservedDeviceNamesRegex = new Regex(@"^(?:aux|com[1-9]|con|lpt[1-9]|nul|prn)\.", RegexOptions.Compiled | RegexOptions.IgnoreCase);
 
         // Edition token regex patterns
-        private static readonly Regex EditionOrdinalRegex = new Regex(@"((?:\b|_)\d{1,3}(?:st|th|rd|nd)(?:\b|_))", RegexOptions.Compiled | RegexOptions.IgnoreCase);
-        private static readonly Regex EditionUppercaseRegex = new Regex(@"((?:\b|_)(?:IMAX|3D|SDR|HDR|DV)(?:\b|_))", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+        private static readonly Regex EditionOrdinalRegex = new Regex(@"((?:\b|_)\d{1,3}(?:st|th|rd|nd)(?:\b|_))", RegexOptions.Compiled | RegexOptions.IgnoreCase, TimeSpan.FromSeconds(1));
+        private static readonly Regex EditionUppercaseRegex = new Regex(@"((?:\b|_)(?:IMAX|3D|SDR|HDR|DV)(?:\b|_))", RegexOptions.Compiled | RegexOptions.IgnoreCase, TimeSpan.FromSeconds(1));
 
         // generated from https://www.loc.gov/standards/iso639-2/ISO-639-2_utf-8.txt
         public static readonly ImmutableDictionary<string, string> Iso639BTMap = new Dictionary<string, string>
diff --git a/src/NzbDrone.Core/Parser/Parser.cs b/src/NzbDrone.Core/Parser/Parser.cs
index d9a7732ceb..9d6a3699ce 100644
--- a/src/NzbDrone.Core/Parser/Parser.cs
+++ b/src/NzbDrone.Core/Parser/Parser.cs
@@ -138,9 +138,9 @@ public static class Parser
         private static readonly Regex RequestInfoRegex = new Regex(@"^(?:\[.+?\])+", RegexOptions.Compiled);
 
         // ToUrlSlug regex patterns
-        private static readonly Regex SlugSpaceRegex = new Regex(@"\s", RegexOptions.Compiled);
-        private static readonly Regex SlugInvalidCharsRegex = new Regex(@"[^a-z0-9\s-_]", RegexOptions.Compiled);
-        private static readonly Regex SlugDuplicateDefaultRegex = new Regex(@"([-_]){2,}", RegexOptions.Compiled);
+        private static readonly Regex SlugSpaceRegex = new Regex(@"\s", RegexOptions.Compiled, TimeSpan.FromSeconds(1));
+        private static readonly Regex SlugInvalidCharsRegex = new Regex(@"[^a-z0-9\s-_]", RegexOptions.Compiled, TimeSpan.FromSeconds(1));
+        private static readonly Regex SlugDuplicateDefaultRegex = new Regex(@"([-_]){2,}", RegexOptions.Compiled, TimeSpan.FromSeconds(1));
 
         private static readonly string[] Numbers = new[] { "zero", "one", "two", "three", "four", "five", "six", "seven", "eight", "nine" };