search

davisjam / vuln-regex-detector

Detect vulnerable regexes in your project. REDOS, catastrophic backtracking.
MIT License
320 stars 29 forks source link

cache: client: specify client's local cache location #33

Closed dougwilson closed 6 years ago

dougwilson commented 6 years ago

Is it possible to choose the cache location when using the Node.js npm module as a client? For example, perhaps I can set the path using an environment variable. The reason is that I would like to run this on CI servers, but the cache isn't super useful unless I can save the cache between runs. If I can choose the location I can point it to a directory that will persist between runs.

davisjam commented 6 years ago

Plan

Good suggestion. I'll make this configurable soon.

@dougwilson It would help to know whether you are planning to use:

  1. The pseudo eslint plugin (then an environment variable would be simpler), or
  2. The client (then supporting it directly in the config parameter would be fine).

Workaround

If you're using vuln-regex-detector v1.2.0 then here is a workaround:

  1. Create a directory for the cache in your persistent storage.
  2. Make the directory used by the module into a symlink. You could also use a hardlink unless you'll be crossing FS boundaries.

At the moment, the directory the cache uses is defined here:

const PERSISTENT_CACHE_DIR = path.join(os.tmpdir(), 'vuln-regex-detector-client-persistentCache');
dougwilson commented 6 years ago

Sorry I left that out from the initial post. I am currently trying to just use the eslint plugin, since it's the simple method. It works well for projects if I can get a persistent local cache, as it runs very quickly. Perhaps both choices are best:

  1. The client takes the path as an optional config and
  2. The eslint plugin passes in the value of an environment variable as that config

Yes, I thought of the symlink approach, though it's a bit more difficult on Windows because you have to be an administrator to make a symlink, and the builds do not run with administrator privileges. Right now I am just doing a directory copy of the contents pre and post build to shuffle them around. Just thought it would be more efficient to skip the file copying.

davisjam commented 6 years ago

@dougwilson Resolved in #36 via vuln-regex-detector v1.3.0 and eslint plugin v1.0.4.

See instructions here. You might also get some clues from this test case if you use the vuln-regex-detector module directly.

Let me know how it goes!