search

davisjam / vuln-regex-detector

Detect vulnerable regexes in your project. REDOS, catastrophic backtracking.
MIT License
320 stars 28 forks source link

Node.js? #67

Open jedwards1211 opened 5 years ago

jedwards1211 commented 5 years ago

I saw in your fork of safe-regex that you recommend this project instead. But is it designed to work on Node regular expressions? And in any case, maybe we should make a Node.js version to use with tools like ESLint?

lirantal commented 5 years ago

Yes, JavaScript regular expressions are supported too.

jedwards1211 commented 5 years ago

I see, how much does the file scanning support JS? I don't see anything in the readme about how it would scan JS files for regexes or what the limitations would be on dynamically constructed regexes like new RegExp(foo + bar) where foo and bar are just constants initialized to string literals

davisjam commented 5 years ago

Regex extraction and regex analysis are separate problems.

Regex extraction

The extraction relies on simple static analysis. It only finds regexes declared /like this/ or as constant strings in the constructor, like new Regexp("foo"). See section 5.A."Extraction through static analysis" of this paper.

PRs to improve the static extraction are welcome. I'm not sure if the static analysis framework I used for JS handles dataflow analysis.

Regex analysis

The super-linear regex detection ensemble exposed by this project is much more powerful than safe-regex's heuristic.