GitHub Project Directory Filter Exposes ReDoS Vulnerability via Unescaped User Input

A critical vulnerability in a GitHub project's directory filter allows user input to be passed directly into a regular expression constructor without escaping, creating a direct path for a Regular Expression Denial of Service (ReDoS) attack. The flaw, located in the `atr/static/js/src/projects-directory.js` file, enables an attacker to craft patterns like `(a+)+` that trigger catastrophic backtracking, potentially freezing the user's browser and rendering the application unresponsive. Beyond the denial-of-service risk, the unescaped input also breaks core functionality, as invalid regex characters cause unhandled exceptions that crash the filter entirely.

The vulnerability stems from a specific code block (lines 25-31) where text from a project filter textbox is fed directly into `new RegExp()`. This treats regex metacharacters as active pattern syntax instead of literal text, fundamentally altering the intended search behavior. For instance, a user searching for a literal period (`.`) would inadvertently match any character, leading to unpredictable and incorrect search results. This deviation from expected literal text search undermines both security and basic usability.

The exposure is flagged under ASVS Level L2, indicating a significant security control failure in a client-side component. While the immediate impact is a client-side browser freeze, the pattern of unvalidated input reaching a parsing engine is a classic weakness that could be a precursor to more severe server-side issues if similar logic exists elsewhere. The recommended fix is straightforward: implement proper escaping of all regex special characters before constructing the RegExp object to neutralize the attack vector and restore predictable filter behavior.