fix: replace .* regex with safer patterns (ReDoS)

[Copilot]

The .* patterns in wildcardToRegex() and parseUrlPatterns() could be vulnerable to catastrophic backtracking with crafted inputs.

Changes

• src/domain-patterns.ts: Replace .* with [a-zA-Z0-9.-]* for domain wildcards (RFC 1035 compliant characters only)
• src/ssl-bump.ts: Replace .* with [^\s]* for URL path wildcards
• Defense in depth: Add 512-char input length limit in isDomainMatchedByPattern()

Before/After

// Before: matches any character
wildcardToRegex('*.github.com')  // => '^.*\.github\.com$'

// After: matches only valid domain characters
wildcardToRegex('*.github.com')  // => '^[a-zA-Z0-9.-]*\.github\.com$'

Tests updated to reflect new pattern format. All 550 tests pass.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] Fix URL pattern regex vulnerable to catastrophic backtracking</issue_title>
<issue_description>## Priority
Medium

Description

The current URL pattern regex is vulnerable to catastrophic backtracking, which could lead to ReDoS (Regular Expression Denial of Service) attacks.

Impact

• Severity: Medium
• Attack Vector: Crafted URLs causing CPU exhaustion
• Risk: Denial of Service, performance degradation

Proposed Solution

Replace vulnerable patterns with atomic grouping:

// Replace: .*
// With: (?>.*) 

Use atomic grouping to prevent backtracking on malicious inputs.

Effort Estimate

~2 hours

References

• Source: Daily Security Review Discussion [Security Review] Daily Security Review - January 16, 2026 #228
• Related: URL validation and parsing logic</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] Fix URL pattern regex vulnerable to catastrophic backtracking #249

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	77.19%	77.26%	📈 +0.07%
Statements	77.27%	77.34%	📈 +0.07%
Functions	77.17%	77.17%	➡️ +0.00%
Branches	69.76%	69.81%	📈 +0.05%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/domain-patterns.ts	97.2% → 97.4% (+0.14%)	97.3% → 97.4% (+0.14%)
src/ssl-bump.ts	32.1% → 33.3% (+1.19%)	32.1% → 33.3% (+1.19%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• ci: pin GitHub Actions to commit SHAs for supply chain security #266: ci: pin GitHub Actions to commit SHAs for supply chain security
• chore: delete existing firewall tests and migrate smoke tests #229: chore: delete existing firewall tests and migrate smoke tests

Test Results:

• ✅ GitHub MCP: Retrieved merged PRs
• ✅ Playwright: Navigated to GitHub, verified title contains "GitHub"
• ✅ File Writing: Created test file successfully
• ✅ Bash: Verified file contents

Status: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results (Run #21092103522)

Last 2 Merged PRs:

• ci: pin GitHub Actions to commit SHAs for supply chain security #266: ci: pin GitHub Actions to commit SHAs for supply chain security
• chore: delete existing firewall tests and migrate smoke tests #229: chore: delete existing firewall tests and migrate smoke tests

Test Results:

• ✅ GitHub MCP: Successfully retrieved last 2 merged PRs
• ❌ Playwright: Failed (missing system dependencies: libglib-2.0.so.0)
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-21092103522.txt with timestamp
• ✅ Bash Tool: Successfully verified file contents

Overall Status: FAIL

cc: @Mossaka (author/assignee)

AI generated by Smoke Copilot

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• ci: add agentic documentation preview workflow with Playwright #246: ci: add agentic documentation preview workflow with Playwright
• feat: port plan workflow from gh-aw repository #230: feat: port plan workflow from gh-aw repository

Test Results:

• ✅ GitHub MCP: Successfully fetched PR data
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Write: Created test file successfully
• ✅ Bash: File read verification passed

Status: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat: port plan workflow from gh-aw repository #230: feat: port plan workflow from gh-aw repository
• ci: pin GitHub Actions to commit SHAs for supply chain security #266: ci: pin GitHub Actions to commit SHAs for supply chain security

Test Results:

• ✅ GitHub MCP: Retrieved PR data successfully
• ❌ Playwright: Browser download failed (network restrictions)
• ✅ File Creation: /tmp/gh-aw/agent/smoke-test-copilot-21092323705.txt created
• ✅ Bash Tool: File verified successfully

Overall: PARTIAL PASS (3/4 tests passed)

Note: Playwright browser download blocked. Used curl fallback for connectivity test.

cc @Mossaka

AI generated by Smoke Copilot