fix: prevent regex DoS vulnerability in formatNumber function

AntaresSimulatorTeam · Oct 14, 2024 · 5929d82 · 5929d82
1 parent 5af5fcf
commit 5929d82
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/webapp/src/components/common/MatrixGrid/index.tsx b/webapp/src/components/common/MatrixGrid/index.tsx
@@ -171,7 +171,7 @@ function MatrixGrid({
         gridSelection={selection}
         onGridSelectionChange={setSelection}
         keybindings={{ paste: false, copy: false }}
-        onPaste={false}
+        getCellsForSelection // TODO handle large copy/paste using this
         fillHandle
         allowedFillDirections="any"
         rowMarkers="both"

diff --git a/webapp/src/components/common/MatrixGrid/utils.ts b/webapp/src/components/common/MatrixGrid/utils.ts
@@ -117,8 +117,17 @@ export function formatNumber(num: number | undefined): string {
   }
 
   const [integerPart, decimalPart] = num.toString().split(".");
-  // Format integer part with thousand separators
-  const formattedInteger = integerPart.replace(/\B(?=(\d{3})+(?!\d))/g, " ");
+
+  // Format integer part with thousand separators using a non-regex approach
+  const formattedInteger = integerPart
+    .split("")
+    .reverse()
+    .reduce((acc, digit, index) => {
+      if (index > 0 && index % 3 === 0) {
+        return digit + " " + acc;
+      }
+      return digit + acc;
+    }, "");
 
   // Return formatted number, preserving decimal part if it exists
   return decimalPart ? `${formattedInteger}.${decimalPart}` : formattedInteger;