Bug Fix

The alphaNumericRegex() helper in actions/ql/lib/codeql/actions/Bash.qll no longer matched the regex shape documented in the QLDoc after the pinned-SHA example was widened to support either 40 or 64 hex characters. This caused the implementation and documentation to diverge for grouped and optional quantified forms.

What was the bug?

• alphaNumericRegex() only matched a single character class followed by one quantifier:
  • ^[0-9]+$
  • ^[A-Za-z0-9_]{40}$
• It did not match the updated documented form:
  • ^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$

How did you fix it?

• Expanded accepted regex structure

  • Reworked alphaNumericRegex() to build up the accepted pattern in stages:
    • an alphanumeric character class
    • a required quantifier (+ or {n})
    • optional grouping around that quantified term
    • an optional trailing ?
    • repetition of those terms between ^ and $

• Kept the helper aligned with the QLDoc example

  • The implementation now recognizes grouped suffixes such as ([0-9a-zA-Z]{24})?, which is the shape used by the updated pinned-SHA example.

• Minor cleanup

  • Fixed comment formatting in the helper while updating the implementation.

Example

alphaNumericRegex() now matches patterns of this form:

^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$