malicious regular expressions

[dominictarr]

This is vunerable to evil regular expressions. It's possible to construct a regular expression that executes in exponential time, which won't look like an obvious infinite loop, but will lock the cpu for a while.

require('notevil')("/((a+)+)b/.test('aaaaaaaaaaaaaaaaaaaaaaaaaaaaa')")

This tricks the regex evaluator into searching for all possible ways to arrange the two nested a groups,
(since the string is missing a b at the end it will continue searching, if it had a b it would return as soon as it has found a match)

the simplest way to prevent this is just to block regular expressions with a starheight > 1 (i.e. with nested groups) this may block some non-evil regular expressions, but is much simpler than implementing a regular expression interpreter.

for more detail: http://perlgeek.de/blog-en/perl-tips/in-search-of-an-exponetial-regexp.html

also, @substack has a module for detecting safe regular expressions: https://github.com/substack/safe-regex

[mmckegg]

i knew this would be a rabbit hole 😵

[aredridel]

Boom!

[dominictarr]

hey it looks like this might do it: https://github.com/aaditmshah/regex
you'd just need to add the run time checker... maybe use the native regex engine for safe regular expressions and the interpreted one for unsafe.