From 604dc700a63dd0328ead3c0ffadae994a07d40da Mon Sep 17 00:00:00 2001 From: Hyojin Kwak Date: Fri, 13 Feb 2026 22:07:44 +0900 Subject: [PATCH] MSTeams: fix regex injection in mention name formatting Escape regex metacharacters in display names before constructing RegExp to prevent runtime errors or unintended matches when names contain special characters like (, ), ., +, ?, [, etc. Add test coverage for names with regex metacharacters. --- extensions/msteams/src/mentions.test.ts | 12 ++++++++++++ extensions/msteams/src/mentions.ts | 3 ++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/extensions/msteams/src/mentions.test.ts b/extensions/msteams/src/mentions.test.ts index bfd66873ed..13d9e02e74 100644 --- a/extensions/msteams/src/mentions.test.ts +++ b/extensions/msteams/src/mentions.test.ts @@ -208,4 +208,16 @@ describe("formatMentionText", () => { expect(result).toBe("Hello world"); }); + + it("escapes regex metacharacters in names", () => { + const text = "Hey @John(Test) and @Alice.Smith"; + const mentions = [ + { id: "28:xxx", name: "John(Test)" }, + { id: "28:yyy", name: "Alice.Smith" }, + ]; + + const result = formatMentionText(text, mentions); + + expect(result).toBe("Hey John(Test) and Alice.Smith"); + }); }); diff --git a/extensions/msteams/src/mentions.ts b/extensions/msteams/src/mentions.ts index 7ff3a3578e..fc63093b00 100644 --- a/extensions/msteams/src/mentions.ts +++ b/extensions/msteams/src/mentions.ts @@ -106,7 +106,8 @@ export function formatMentionText(text: string, mentions: MentionInfo[]): string let formatted = text; for (const mention of mentions) { // Replace @Name or @name with Name - const namePattern = new RegExp(`@${mention.name}`, "gi"); + const escapedName = mention.name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); + const namePattern = new RegExp(`@${escapedName}`, "gi"); formatted = formatted.replace(namePattern, `${mention.name}`); } return formatted;