redos-detector icon indicating copy to clipboard operation
redos-detector copied to clipboard
verified publisher icon tjenkinson

Possible missing case

Open TrueWill opened this issue 1 year ago • 1 comments

The first example from https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS is considered safe by isSafePattern: (a+)+

TrueWill avatar Sep 27 '24 16:09 TrueWill

Hey @TrueWill thanks for flagging. That should be unsafe.

Unfortunately this tool currently misses some cases when there's no start anchor.

If you prepend ^.* you'll see the failure.

I've been working on a fix and hopefully will have it ready soon

tjenkinson avatar Sep 27 '24 17:09 tjenkinson

This will be classed as safe again in https://github.com/tjenkinson/redos-detector/pull/637

(a+)+$ wouldn't be though.

See https://github.com/tjenkinson/redos-detector/issues/624#issuecomment-2452960154 for why

tjenkinson avatar Dec 09 '24 22:12 tjenkinson