JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 27890
  • Score
    100M100P100Q143669F
  • License MIT

ESLint plugin for catching ReDoS vulnerability.

Package Exports

  • eslint-plugin-redos

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (eslint-plugin-redos) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

eslint-plugin-redos

ESLint plugin for catching ReDoS vulnerability.

CI Status npm (scoped)

Installation

$ npm install eslint-plugin-redos

Then, in your .eslintrc.json:

{
  "plugins": ["redos"],
  "rules": {
    "redos/no-vulnerable": "error"
  }
}

This plugin contains the only rule redos/no-vulnerable.

Disallow ReDoS vulnerable RegExp literals
(redos/no-vulnerable)

Rule Details

Almost all JavaScript's RegExp matching engines are backtrack based, and it is known that such an engine causes ReDoS (Regular Expression Denial of Service) vulnerability. This rule detects a RegExp literal causing problematic backtracking behavior potentially.

👎 Examples of incorrect code for this rule:

/*eslint redos/no-vulnerable: "error"*/

// Exponential times backtracking examples:
/^(a*)*$/;
/^(a|a)*$/;
/^(a|b|ab)*$/;

// Polynomial times backtracking examples:
/^a*a*$/;
/^[\s\u200c]+|[\s\u200c]+$/; // See https://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016.

👍 Examples of correct code for this rule:

/*eslint redos/no-vulnerable: "error"*/

// Fixed times backtracking examples:
/^a$/;
/^foo$/;

// Linear times backtracking examples;
/foo/;
/(a*)*/;

Options

The following is the default configuration.

{
  "redos/no-vulnerable": [
    "error",
    {
      "ignoreErrors": true,
      "permittableComplexities": [],
      "timeout": 5000
    }
  ]
}

ignoreErrors

This flag is used to determine to ignore errors on ReDoS vulnerable detection.

Errors on ReDoS vulnerable detection are:

  • the pattern is invalid.
  • the pattern is not supported to analyze.
  • analysis is timeout.

They are ignored because they are noisy usually.

permittableComplexity

This array option controls permittable matching complexity. It allows the following values.

  • 'polynomial'
  • 'exponential'

We strongly recommend considering 'polynomial' matching complexity RegExp as ReDoS vulnerable. However, this option can disable it.

timeout

This option specifies a time-out limit for ReDoS analyzing. A time-unit is milli-seconds. If null is specified, it means unlimited time-out.

The default value is 5000 (5 seconds).

checker

This option specifies a checker name to use. It is one of 'hybrid', 'automaton' and 'fuzz'.

See the @makenowjust-labo/redos documentation for the detailed information.

License

MIT license.

2020 (C) TSUYUSATO "MakeNowJust" Kitsune