From d4c2252121e7daab3d740caab7329b7850cff778 Mon Sep 17 00:00:00 2001
From: soufiane <soufiane.baali99@gmail.com>
Date: Thu, 4 Dec 2025 16:35:03 +0100
Subject: [PATCH] fix: secure email regex against ReDoS vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace vulnerable regex with bounded quantifiers
- Add email length check (max 254 chars per RFC 5321)
- Fixes SonarQube security hotspot S5852

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 app/register/page.tsx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/register/page.tsx b/app/register/page.tsx
index 7f51368..f25906b 100644
--- a/app/register/page.tsx
+++ b/app/register/page.tsx
@@ -42,7 +42,9 @@ export default function RegisterPage() {
 
   // Vérifier si l'email existe déjà
   const checkEmail = async (email: string) => {
-    if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+    // Regex sécurisée contre ReDoS avec limite de longueur
+    const isValidEmail = email && email.length <= 254 && /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/.test(email);
+    if (!isValidEmail) {
       setEmailStatus({ checking: false, exists: null, valid: null, message: '' });
       return;
     }