Was updating Moment.js for a project to remove the ability for certain ReDOS attacks. While searching, the isTimeSpan function from this repo came up and mentioned that it used some regex from Moment.js in comments:
//expressive.annotations.validate.js Line 491
isTimeSpan: function(value) {
return /(\-)?(?:(\d*)\.)?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?)?/.test(value); // regex for recognition of .NET style timespan string, taken from moment.js v2.9.0
},
I checked and found that this line fails an automated ReDOS check. This is unsuprising due to the amount of ReDOS bugs that moment.js has fixed over the years.
Was updating Moment.js for a project to remove the ability for certain ReDOS attacks. While searching, the
isTimeSpanfunction from this repo came up and mentioned that it used some regex from Moment.js in comments:I checked and found that this line fails an automated ReDOS check. This is unsuprising due to the amount of ReDOS bugs that moment.js has fixed over the years.