Missing anchors in validation regular expression

[nharraud]

Hi, The ReDos example uses two regular expressions which are missing start and end anchors: https://github.com/OWASP/NodeGoat/blob/e2dffdb8c7e988c10bacdccba14d6f0d352c5090/app/routes/profile.js#L58-L59

These regular expressions accept values such as evil123#evil.

How about: 1/ fixing these two regular expressions like this:

        // const regexPattern = /^[0-9]+\#$/;
        const regexPattern = /^([0-9]+)+\#$/;

2/ adding another regular expression somewhere which creates a vulnerability due to the missing anchors. This would be a good opportunity to explain CWE-777: Regular Expression without Anchors, which is quite easy to miss in Javascript.

[CaduRoriz]

/assign