Closed marekdedic closed 3 years ago
Hi, I've tried adding test for the regular expression catastrophic backtracking in #95. However, it does not work - I think the timeout function of tape only works for things like network requests and such, not for timing out actual computation. However, your test infra is foreign to me, so it might be just my ignorance...
ANother way to do this would be to run all the regexes through something like safe-regex, however, I think that woul lead to many more failing tests (but not FPs, they'd really be vulnerable regexes). So that's a whole another rabbit hole... @pkuczynski, what do you think?
Thanks
Eh, since the regexes are dynamically created in the fullPat
variable, safe-regex can't test them... So unless that is rewritten, safe-regex can't be used...
Hi, I've made this PR depend on #105 as otherwise it does not make sense. ~The bad news is that there are some tests failing, but really they are failing correctly - the regexes they detect are unsafe...~
Since the tests are working, I'm closing this PR in favor of #105
Refs #105