Open dbaeumer opened 3 years ago
It is also important, that many JS-compatible regex engines uses "plain NFA" wich can result with "regex of doom", example:
> console.time("regex"); /(a*)*b/.test((Array(20).fill("a").join(''))); console.timeEnd("regex");
regex: 34.394ms
undefined
> console.time("regex"); /(a*)*b/.test((Array(21).fill("a").join(''))); console.timeEnd("regex");
regex: 63.107ms
undefined
> console.time("regex"); /(a*)*b/.test((Array(22).fill("a").join(''))); console.timeEnd("regex");
regex: 114.081ms
undefined
> console.time("regex"); /(a*)*b/.test((Array(25).fill("a").join(''))); console.timeEnd("regex");
regex: 814.702ms
undefined
As you can see, with pretty innocent regex and pretty innocent string we can show exponential times of executing the regex. This can result with DoS from the untrusted LS.
Also, support for these complex snippets should be a capability. It seems that as soon as you declare support for snippets, you're binding yourself to implementing a potentially changing snippet specification.
Or at least, version the specification of snippets maybe ?
For example, in Vim there's no way to support JavaScript regexes without writing a JavaScript to Vim regex compiler
See https://github.com/microsoft/language-server-protocol/issues/363