Skip to content
This repository has been archived by the owner on Dec 4, 2021. It is now read-only.

makenowjust-labs/eslint-plugin-redos

BranchesTags

Repository files navigation

Caution!

This repository's contents are integrated to MakeNowJust-Labo/recheck. Please move there to check the latest information.

The old README contents

eslint-plugin-redos

ESLint plugin for catching ReDoS vulnerability.

CI Status npm (scoped)

Installation

$ npm install eslint-plugin-redos

Then, in your .eslintrc.json:

{
  "plugins": ["redos"],
  "rules": {
    "redos/no-vulnerable": "error"
  }
}

This plugin contains the only rule redos/no-vulnerable.

Disallow ReDoS vulnerable RegExp literals
(redos/no-vulnerable)

Rule Details

Almost all JavaScript's RegExp matching engines are backtrack based, and it is known that such an engine causes ReDoS (Regular Expression Denial of Service) vulnerability. This rule detects a RegExp literal causing problematic backtracking behavior potentially.

👎 Examples of incorrect code for this rule:

/*eslint redos/no-vulnerable: "error"*/

// Exponential times backtracking examples:
/^(a*)*$/;
/^(a|a)*$/;
/^(a|b|ab)*$/;

// Polynomial times backtracking examples:
/^a*a*$/;
/^[\s\u200c]+|[\s\u200c]+$/; // See https://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016.

👍 Examples of correct code for this rule:

/*eslint redos/no-vulnerable: "error"*/

// Fixed times backtracking examples:
/^a$/;
/^foo$/;

// Linear times backtracking examples;
/foo/;
/(a*)*/;

Options

The following is the default configuration.

{
  "redos/no-vulnerable": [
    "error",
    {
      "ignoreErrors": true,
      "permittableComplexities": [],
      "timeout": 10000,
      "checker": "hybrid"
    }
  ]
}

ignoreErrors

This flag is used to determine to ignore errors on ReDoS vulnerable detection.

Errors on ReDoS vulnerable detection are:

  • the pattern is invalid.
  • the pattern is not supported to analyze.
  • analysis is timeout.

They are ignored because they are noisy usually.

permittableComplexity

This array option controls permittable matching complexity. It allows the following values.

  • 'polynomial'
  • 'exponential'

We strongly recommend considering 'polynomial' matching complexity RegExp as ReDoS vulnerable. However, this option can disable it.

timeout

This option specifies a time-out limit for ReDoS analyzing. A time-unit is milli-seconds. If null is specified, it means unlimited time-out.

The default value is 10000 (10 seconds).

checker

This option specifies a checker name to use. It is one of 'hybrid', 'automaton' and 'fuzz'.

See the @makenowjust-labo/redos documentation for the detailed information.

The default value is 'hybrid'.

Related Projects

License

MIT license.

2020 (C) TSUYUSATO "MakeNowJust" Kitsune

About

ESLint plugin for catching ReDoS vulnerability.

npm.im/eslint-plugin-redos

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 5

v1.2.0 Latest
Sep 4, 2021
+ 4 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages