l3tchupkt commented on PR #9215:
URL: https://github.com/apache/pouchdb/pull/9215#issuecomment-4184049043
@janl Thanks for the feedback.
I agree that validating at `new PouchDB()` would be the ideal place
long-term.
In this PR, I added validation at `viewCleanup()` as a defense-in-depth
measure, since it’s the point where the value is used in a destructive
operation.
Regarding the regex:
* `^[^<>:"|?*]+$` filters out clearly unsafe characters (common across
file/path handling)
* `^[^<>:"|?*]+-mrview-[a-f0-9]{32}$` ensures only expected view DB names
are processed during cleanup
Happy to adjust the scope (e.g. limit validation to cleanup only or refine
the regex) based on your preference.
Best regards,
Lakshmikanthan K
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
