To correctly escape special regex characters (like $, {, and }) in placeholder strings intended for use in a regex pattern, we need to ensure that each of these characters is replaced in the string with two backslashes (i.e., \\$), so that the resulting string (when passed to the RegExp constructor) results in the correct escape (e.g., \$). The best way is to use a regex escape helper function that properly escapes all regex special characters, ensuring robust and maintainable code. This function should be defined close to its usage or at the module level.

What to change:

• Add a function (such as escapeRegExp) that escapes special regex characters in a given string.
• Replace the current triple .replace() chain on line 281-283 with a single call to that function for clarity, safety, and extensibility.

Methods/imports needed:
No external imports are needed; just a local helper function.

File/lines to change:

• In web/src/utils/dashboard/variables/variablesUtils.ts, add the escapeRegExp function near the top.
• In the code where placeholder is passed to new RegExp, use escapeRegExp(placeholder) instead of the current .replace() chain.

To properly escape $, {, and } in the context of generating a regular expression from string placeholders, we need to make sure that the string passed to the RegExp constructor contains \\$, \\{, and \\}. In JavaScript string literals, \\ is interpreted as a single backslash, so placeholder.replace(/\$/g, "\\$") results in \$ in the pattern, which is correct. However, CodeQL is flagging \$ as a useless escape in string literals because in some JS contexts, \$ is equivalent to $, potentially leading to confusion or misinterpretation. But, since this is being used to build a RegExp pattern, using "\\$" in the string results in \$ in the regex pattern, which does match a literal dollar sign.

However, the best way to future-proof and clarify intent is to ensure you're using double backslashes ("\\$", "\\{", "\\}") in the string replacement so that the resulting RegExp pattern contains \$, \{, and \}. Double check that each replacement has two backslashes in the string literal.

Thus, in file web/src/utils/dashboard/variables/variablesUtils.ts, in the code block starting at line 280:

• Edit .replace(/\$/g, "\\$") to .replace(/\$/g, "\\\$")
• Edit .replace(/\{/g, "\\{") to .replace(/\{/g, "\\\{")
• Edit .replace(/\}/g, "\\}") to .replace(/\}/g, "\\\}")

While the previous code may have worked, using two backslashes to produce the correct escaped character is canonical, and avoids "useless regular-expression escape" alerts.

No additional imports or dependencies are required.

In general terms, the correct way to construct a RegExp from a string with embedded variable placeholders is to escape only those characters that actually have special meaning in RegExp patterns. In the context of this code, rather than blindly escaping the $, {, and } characters, you should escape those which could be interpreted as meta-characters in RegExp.

For this snippet, replacing only special RegExp characters (like ., *, +, ?, ^, $, |, (, ), [, ], {, }, \) is appropriate. The more robust fix is to use a utility function to escape all RegExp metacharacters in the placeholder string before passing it to new RegExp.

File/region to edit: Only change the code within web/src/utils/dashboard/variables/variablesUtils.ts, at the region where placeholder strings are turned into regex patterns (around lines 278–283).

Required changes:

• Define a utility function, e.g., escapeRegExp, that will escape all RegExp meta-characters.
• Use this function to escape the placeholder when constructing the RegExp pattern, rather than selectively replacing \$, \{, and \}.
• No imports necessary: this utility function can be written inline.

To fix this issue, we must ensure that metacharacters in the placeholder strings are correctly escaped in the string used to construct the RegExp. This requires doubling the backslash so that when the string is interpreted by the RegExp constructor, the resulting regex will match literal metacharacters. Specifically, change .replace(/\$/g, "\\$") to .replace(/\$/g, "\\\$") (or equivalently using .replaceAll("$", "\\\$")), and similarly for { and }. This will yield \\$ in the string, resulting in a regex that matches a literal $.
Edit only the string replacement logic (lines 281-283) in the file web/src/utils/dashboard/variables/variablesUtils.ts to use double backslashes for escaping metacharacters.
No additional imports or methods are required.

The problem arises because .replace(/\$/g, "\\$") (and similarly for { and }) replaces a plain dollar sign with a single backslash, so that the produced pattern looks like \$ in the string literal provided to RegExp. However, since JavaScript string literals interpret \ itself as an escape character, the string "\\$" passed to RegExp becomes \$ in the resulting pattern, which will match a literal dollar. However, by only replacing with a single backslash "\", the string ends up containing \$, which in RegExp is just equivalent to $, not a literal dollar.

To correctly escape these characters in dynamically constructed RegExp patterns, replace each $, {, and } with double backslashes (\\$, \\{, \\}) so that the string passed to RegExp contains \\$, which is interpreted in the RegExp engine as \$ (literal dollar sign). This ensures you safely match the literal placeholder regardless of context.

You should update lines 281–283 to replace each character with two backslashes (i.e., .replace(/\$/g, "\\\\$")). This should be done for all three replacements ($, {, }).

The best way to fix this problem is to ensure that each placeholder string is properly escaped for use in the RegExp constructor, so it matches the literal string representation, not a RegExp meta-character. This means replacing .replace(/\$/g, "\\$") with .replace(/\$/g, "\\$") (which actually produces a single backslash in the string, so for RegExp it must be double-backslashed: \\\\$). The same applies for the braces ({, }): use double backslashes to ensure proper escaping.

In summary:

• Replace .replace(/\$/g, "\\$") with .replace(/\$/g, "\\$") for use in RegExp string, but this will produce \${variable.name} still — to match literal $, supply \\$ in the RegExp string.
• The most reliable approach is to use a utility function to escape all RegExp meta-characters (not just $, {, }) in the placeholder, ensuring the pattern matches the literal placeholder.

Thus, the fix is:

1. Introduce a function, e.g., escapeRegExp, that escapes all RegExp meta-characters in the placeholder.
2. Replace the multiple .replace() calls on the placeholder with a single call to escapeRegExp(placeholder).
3. Update the code around line 281–283 accordingly.

You only need the escapeRegExp function and update the invocation within variablesUtils.ts.

To correctly escape any metacharacters in the RegExp pattern being built, including the backslash, we should escape all RegExp meta-characters within placeholder. The single best way is to use a purpose-built escaping function for RegExp patterns (such as escape-string-regexp), but if using only built-in methods, escape all relevant characters. In this snippet, add a replacement for backslash (\\). The change should be made at the call constructing the RegExp pattern, at lines 281–283, so that the string used to build the RegExp is properly escaped for all metacharacters that appear in placeholders.

We only need to change the pattern building to also escape backslashes (\), matching the spirit and scope of the flagged line. No further changes or imports are needed.

To correctly escape placeholder for safe embedding inside a regular expression, we should ensure all regular expression special characters are escaped, but at minimum backslashes, as highlighted. The best way is to use a utility function that escapes all regex metacharacters, e.g. a function like escapeRegExp(s) which replaces all regex metacharacters with escaped forms, including the backslash (\). This prevents malformed or dangerous regular expressions and ensures all placeholder occurrences are replaced as intended.

The fix is to replace:

placeholder
  .replace(/\$/g, "\\$")
  .replace(/\{/g, "\\{")
  .replace(/\}/g, "\\}")

with a call to an escaping function that escapes all regex special characters. Add a utility function inside this file (since no external imports were present/shown), e.g.:

function escapeRegExp(s: string): string {
  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}

and in the .replace() call, use

new RegExp(escapeRegExp(placeholder), "g")

Update the lines where the regex is constructed accordingly. No new imports or external dependencies are needed.

To robustly escape all potentially dangerous special characters when building a regular expression from user-provided input, use a well-tested method to escape regex metacharacters. The best (and simplest) approach is to adopt a utility such as escape-string-regexp if dependencies are allowed, or otherwise copy a safe, standard implementation of it. The fix is to process placeholder with this escaping function before using it as the pattern in RegExp. This change should be made where the RegExp is constructed (lines 279–283), replacing the series of chained .replace()s.

If dependencies are not wanted, a one-liner escape utility can be added directly to the file.
No changes to the rest of the replacement logic are needed.