@@ -217,14 +217,14 @@ function deriveRoot(declaredPath: string, extractCwd: string): string {
217217 * security concern here: `seg` originates from the calling workflow's
218218 * own declared cache `paths:`, so a hostile value would only DoS the
219219 * same workflow that supplied it — it doesn't cross a trust boundary.
220- * The `lgtm` comments below suppress CodeQL's `js/polynomial-redos`
221- * alert on that basis .
220+ * CodeQL flags this as `js/polynomial-redos`; the alert should be
221+ * dismissed in the Security tab with this comment as the rationale .
222222 */
223223function segmentHasGlob ( seg : string ) : boolean {
224224 const stripped = seg
225- . replace ( / \$ \{ [ ^ } ] + \} / g, '' ) // lgtm[js/polynomial-redos]
225+ . replace ( / \$ \{ [ ^ } ] + \} / g, '' )
226226 . replace ( / \$ [ A - Z a - z _ ] [ A - Z a - z 0 - 9 _ ] * / g, '' )
227- . replace ( / % [ ^ % ] + % / g, '' ) // lgtm[js/polynomial-redos]
227+ . replace ( / % [ ^ % ] + % / g, '' )
228228 return GLOB_CHAR_REGEX . test ( stripped )
229229}
230230
@@ -234,14 +234,14 @@ function expandEnvVars(input: string): string {
234234 result = result . replace (
235235 / \$ \{ ( [ ^ } ] + ) \} / g,
236236 ( _ , name ) => process . env [ name ] ?? ''
237- ) // lgtm[js/polynomial-redos]
237+ )
238238 // $VAR (POSIX-style identifier)
239239 result = result . replace (
240240 / \$ ( [ A - Z a - z _ ] [ A - Z a - z 0 - 9 _ ] * ) / g,
241241 ( _ , name ) => process . env [ name ] ?? ''
242242 )
243243 // %VAR% (Windows-style)
244- result = result . replace ( / % ( [ ^ % ] + ) % / g, ( _ , name ) => process . env [ name ] ?? '' ) // lgtm[js/polynomial-redos]
244+ result = result . replace ( / % ( [ ^ % ] + ) % / g, ( _ , name ) => process . env [ name ] ?? '' )
245245 return result
246246}
247247
0 commit comments