Code | Severity | i18n | Experimental |
---|---|---|---|
unsafe-regex | Warning |
sast_warnings.unsafe_regex |
❌ |
This warning has been designed to detect and report any regular expressions (regexes) that could lead to a catastrophic backtracking. This can be used by an attacker to drastically reduce the performance of your application. We often call this kind of attack REDOS.
Learn more:
- How a RegEx can bring your Node.js service down
- An additional non-backtracking RegExp engine
- The Impact of Regular Expression Denial of Service (ReDoS) in Practice
- Why Aren’t Regexes a Lingua Franca?
- Comparing regex matching algorithms
Note credit goes to the
safe-regex
package author for the last three resources.
Under the hood the package safe-regex is used to assert all RegExpLiteral and RegEx Constructor (eg new RegEx()
).
{
"kind": "unsafe-regex",
"location": [[286,18],[286,65]],
"value": "^node_modules\\/(@[^/]+\\/?[^/]+|[^/]+)(\\/.*)?$",
"file": "index.js"
}