Regex101 icon indicating copy to clipboard operation
Regex101 copied to clipboard

Published 20 hours ago verified publisher icon firasdib

ReDoS check

Open mbtools opened this issue 2 years ago • 4 comments

Feature

Coming back to #600 (which was 8 years ago)... Nowadays, there are excellent libraries available to check a regex against ReDoS vulnerabilities. I suggest adding such check to regex101. For example, recheck could be used to validate the entered regex and return a "safe" or "vulnerable" badge which is shown above the regex.

Examples

Safe regex:

image

Evil regex:

image

Evil regex showing complexity as well:

image

Suggestion

The check does take some time (as one can see in the playground) so it probably should be an option that is off by default.

mbtools avatar Jan 03 '23 11:01 mbtools

That looks interesting, thanks for sharing! The backend dependency will require some additional work load management, but perhaps it could be an on demand button click?

firasdib avatar Jan 03 '23 11:01 firasdib

sure, a button would work as well

mbtools avatar Jan 03 '23 12:01 mbtools

Just noticed this library only supports basic regex syntax. That's very unfortunate...

firasdib avatar Jan 04 '23 11:01 firasdib

too, bad. https://www.npmjs.com/package/redos-detector is the other one I know of. it takes an AST from a parser as input.

mbtools avatar Jan 04 '23 12:01 mbtools