davisjam / vuln-regex-detector

Detect vulnerable regexes in your project. REDOS, catastrophic backtracking.
MIT License
320 stars 29 forks source link

docs: improve READMEs #37

Open davisjam opened 6 years ago

davisjam commented 6 years ago

Feedback from @calligraphic here. Quoted below:

Thanks for taking the time to write that up. I think I'll use it with a local persistent cache and the eslint plugin; eslint's // eslint-disable-line method works for marking a particular regexp safe for my use case.

Thanks again for a great library. I'd like to mention that, at least for me, the documentation on the GitHub page is a little confusing. There's not a link to the eslint plugin on either that page or a link to it on the NPM page for the vuln-regex-detector module. The documentation for the extraction function mentions it handles code "written [in] any of the supported languages", but doesn't mention what those supported languages are (Python and Javascript, from your answer above).

Also, I need to look in the source of extract-regexes.pl to find the text string to use for specifying languages (javascript or python), instead of it being explicit in the documentation. Since python3 is the package name in Debian and RPM repos for Python version 3, naively I'd of tried using it (and get the Error, could not find regexp extractor... message). A similar issue probably applies to TypeScript. It might help other developers interested in the project to have that information easily at hand.

Thanks again for a great project!

davisjam commented 6 years ago

@demands requests more links about catastrophic backtracking and REDOS as a security issue vs. a performance issue.

davisjam commented 6 years ago

@josdejong's requests are documented here.