From 4ad7ffbbdf697ad60557dacb6df1888252fb64a1 Mon Sep 17 00:00:00 2001
From: cbxcvl <cbxcvl@proton.me>
Date: Fri, 27 Mar 2026 13:42:01 -0300
Subject: [PATCH] fix(renderer): remove ambiguous \s* from _BLOCK_RE to prevent
 ReDoS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The pattern \s*(.*?)\s* allowed polynomial backtracking when no closing
*> delimiter was found — confirmed to hang at n=5000 whitespace chars.
The \s* wrappers were redundant since group(1) is already stripped at
the call site (line 278).

Reported and patched with @pa1va. Closes #2323
---
 Scripts/python/src/theming/lib/renderer.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Scripts/python/src/theming/lib/renderer.py b/Scripts/python/src/theming/lib/renderer.py
index 8e82295d5..1165ebb8a 100644
--- a/Scripts/python/src/theming/lib/renderer.py
+++ b/Scripts/python/src/theming/lib/renderer.py
@@ -138,7 +138,7 @@ class TemplateRenderer:
     COLOR_ARG_FILTERS = {"blend", "harmonize"}
 
     # Regex for block delimiters: <* ... *>
-    _BLOCK_RE = re.compile(r'<\*\s*(.*?)\s*\*>', re.DOTALL)
+    _BLOCK_RE = re.compile(r'<\*(.*?)\*>', re.DOTALL)
 
     # Regex for expression tags: {{ ... }}
     _EXPR_RE = re.compile(r"\{\{\s*([^}\n]+?)\s*\}\}")