fix(security): code scanner RE2 lookahead panics server at startup (#552) #742
Reference in New Issue
Block a user
Delete Branch "fix/code-scanner-re2-panic"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Critical — server crash-loops at startup
Deploying the current code to the dev host surfaced a hard panic on boot:
The
deserialize-yaml-pyscanner rule used a negative lookahead(?!\s*#)inregexp.MustCompile. Go's regexp engine is RE2, which has no lookahead/lookbehind — soMustCompilepanics during the packageinit(), crash-looping the whole server before it can serve a request.Why it wasn't caught
go buildandgo vetdon't executeinit(), and CI never boots the binary, so this shipped tomainvia #552 (#717) undetected. The live instances survive only because they run an older image built before #552. The dev deploy is the first time this code actually ran — and it crash-looped (healthy → unhealthy → 502).Fix
(?i)yaml\.load\s*\(, matching the rule's stated intent (flagyaml.load()withoutSafeLoader, CWE-502).code_scanner_test.go) that forces the packageinit()and asserts everyDefaultCodeRulespattern compiled — so a future RE2-incompatible regexp fails in CI here, not on a live deploy.MustCompile.Verification (local, Go 1.26.3)
go test ./services/security/...→ ok (the test executesinit(); previously it panicked).https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT