prevent polynomial regular expression used on uncontrolled data security issue

ewaostrowska · ewaostrowska · commit fa55a1d52bc0 · 2025-11-04T15:29:48.000+01:00
diff --git a/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultCodegen.java b/modules/swagger-codegen/src/main/java/io/swagger/codegen/DefaultCodegen.java
@@ -3219,21 +3219,15 @@ protected void addParentContainer(CodegenModel m, String name, Property property
      * @return The underscored version of the word
      */
     public static String underscore(String word) {
-        String firstPattern = "([A-Z]+)([A-Z][a-z][a-z]+)";
-        String secondPattern = "([a-z\\d])([A-Z])";
+        Pattern firstPattern = Pattern.compile("(?<=[A-Z])(?=[A-Z][a-z]{2,})");
+        Pattern secondPattern = Pattern.compile("(?<=[a-z\\d])(?=[A-Z])");
         String replacementPattern = "$1_$2";
-        // Replace package separator with slash.
-        word = word.replaceAll("\\.", "/"); // FIXME: a parameter should not be assigned. Also declare the methods parameters as 'final'.
-        // Replace $ with two underscores for inner classes.
-        word = word.replaceAll("\\$", "__");
-        // Replace capital letter with _ plus lowercase letter.
-        word = word.replaceAll(firstPattern, replacementPattern);
-        word = word.replaceAll(secondPattern, replacementPattern);
-        word = word.replace('-', '_');
-        // replace space with underscore
-        word = word.replace(' ', '_');
-        word = word.toLowerCase();
-        return word;
+
+        String replaced = word.replace('.', '/').replace("$", "__");
+        replaced = firstPattern.matcher(replaced).replaceAll("_");
+        replaced = secondPattern.matcher(replaced).replaceAll("_");
+        replaced = replaced.replace('-', '_').replace(' ', '_').toLowerCase();
+        return replaced;
     }
 
     /**
diff --git a/modules/swagger-codegen/src/test/java/io/swagger/codegen/CodegenTest.java b/modules/swagger-codegen/src/test/java/io/swagger/codegen/CodegenTest.java
@@ -51,6 +51,7 @@ public void underscoreNamesTest() {
 
         Assert.assertEquals(codegen.underscore("FooBar"), "foo_bar");
         Assert.assertEquals(codegen.underscore("FooBarBaz"), "foo_bar_baz");
+        Assert.assertEquals(codegen.underscore("HTTPServer"), "http_server");
     }
 
     @Test(description = "test camelize")

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@ public void underscoreNamesTest() {`
`51`	`51`
`52`	`52`	`Assert.assertEquals(codegen.underscore("FooBar"), "foo_bar");`
`53`	`53`	`Assert.assertEquals(codegen.underscore("FooBarBaz"), "foo_bar_baz");`
	`54`	`+ Assert.assertEquals(codegen.underscore("HTTPServer"), "http_server");`
`54`	`55`	`}`
`55`	`56`
`56`	`57`	`@Test(description = "test camelize")`