manishsaraan / email-validator

email syntax validator npm module. fast and pretty robust
The Unlicense
436 stars 80 forks source link

Add note on ReDos vulnerability #62

Open safareli opened 2 years ago

safareli commented 2 years ago

Would be great there was a note on if the regex is vulnerable against ReDos. I tested on

and both say that regex is linear.

only http://redos-checker.surge.sh/ is saying that it's vulnerable but I suppose it's very old and not that smart?

sno2 commented 2 years ago

Hello, the validator short-circuits if the input length is greater than 254 so I do not believe that this could be utilized to cause any major issues.

houd1ni commented 1 year ago

Hi! Thanks for the idea! There're some PR's regarding utf support that could potentially break some algorythms. Will test the result when they get resolved and make the note. One of them is https://github.com/manishsaraan/email-validator/pull/57 for example.