search

davisjam / vuln-regex-detector

Detect vulnerable regexes in your project. REDOS, catastrophic backtracking.
MIT License
320 stars 29 forks source link

detect-vuln: test on expanded pattern space #49

Closed davisjam closed 6 years ago

davisjam commented 6 years ago

Problems:

  1. Detectors miss /a+$/
  2. Detectors choke on /a{1,100}a{1,100}a{1,100}$/

Solutions:

  1. Prefix with '^(.*)' Credit: Idea from Cox and discussion with Christy
  2. Convert a{1,100} to a+, etc. Credit: I think chalker suggested something like this

Fixes: #48.