chore: Added regex note to sql obfuscator (#2911)

Author: jsumners-nr

lib/util/sql/obfuscate.js

@@ -7,13 +7,30 @@
 
 module.exports = obfuscate
 
-// eslint-disable-next-line sonarjs/slow-regex
+// All eslint rules in this file that have a comment description of
+// "¶¶¶" have been determined safe enough for our use cases. These lint rules
+// are complaining about catastrophic backtracking being possible. While this
+// may be true, our only other alternative is to write a character by character
+// analyzer, like the .NET Agent uses, in order to obfuscate SQL statements.
+// We have opted against that for the follow reasons:
+//
+// 1. We have not encountered a case where these expressions have led to
+// the possible backtracking failure.
+// 2. Any character-by-character parser is very likely going to be much slower.
+// 3. If we did use a character-by-character parser, we would need to be sure
+// to handle multibyte characters, e.g.
+// `insert into foo (col1) values('sensitive 🍍')`
+// That statement has ASCII that would be well-supported in a naive
+// implementation, along with a UTF-8 character that could be mishandled if
+// not accounted for.
+
+// eslint-disable-next-line sonarjs/slow-regex -- ¶¶¶
 const singleQuote = /'(?:''|[^'])*?(?:\\'.*|'(?!'))/
-// eslint-disable-next-line sonarjs/slow-regex
+// eslint-disable-next-line sonarjs/slow-regex -- ¶¶¶
 const doubleQuote = /"(?:[^"]|"")*?(?:\\".*|"(?!"))/
 const dollarQuote = /(\$(?!\d)[^$]*?\$).*?(?:\1|$)/
 const oracleQuote = /q'\[.*?(?:\]'|$)|q'\{.*?(?:\}'|$)|q'<.*?(?:>'|$)|q'\(.*?(?:\)'|$)/
-// eslint-disable-next-line sonarjs/slow-regex
+// eslint-disable-next-line sonarjs/slow-regex -- ¶¶¶
 const comment = /(?:#|--).*?(?=\r|\n|$)/
 const multilineComment = /\/\*(?:[^/]|\/[^*])*?(?:\*\/|\/\*.*)/
 const uuid = /\{?(?:[0-9a-f]-*){32}\}?/