Merge pull request #1376 from topcoder-platform/alert-autofix-71

kkartunov · web-flow · commit 92a39625fe94 · 2025-12-12T09:15:24.000+02:00
Potential fix for code scanning alert no. 71: Incomplete string escaping or encoding
diff --git a/src/apps/review/src/lib/utils/metadataMatching.ts b/src/apps/review/src/lib/utils/metadataMatching.ts
@@ -112,9 +112,14 @@ export function findMetadataPhaseMatch(
             return { source: 'stringExact' }
         }
 
-        const escapedTarget = escapeRegexLiteral(target)
-            .replace(/ /g, '\\ ')
-        const sepInsensitive = new RegExp(`\\b${escapedTarget.replace(/\\ /g, '[-_\\s]+')}\\b`)
+        // Replace all sequences of space, underscore, or hyphen in the target with a placeholder
+        const WORDSEP_PLACEHOLDER = '__WORDSEP__'
+        const sepPattern = /[ \-_]+/g
+        const targetWithPlaceholder = target.replace(sepPattern, WORDSEP_PLACEHOLDER)
+        // Properly escape ALL regex metacharacters (including backslash), leaving the placeholder intact
+        const escapedTarget = escapeRegexLiteral(targetWithPlaceholder)
+            .replace(new RegExp(escapeRegexLiteral(WORDSEP_PLACEHOLDER), 'g'), '[-_\\s]+')
+        const sepInsensitive = new RegExp(`\\b${escapedTarget}\\b`)
         if (sepInsensitive.test(normalizedMetadata)) {
             return { source: 'stringBoundary' }
         }
