Found a ReDoS vulnerable RegExp (exponential)

[iamrajiv]

Description

In file src/pr-number-to-title.ts found a ReDoS vulnerable RegExp (exponential)

const matches = prHtml.match(
  /<html.+?<head>.+?<title>(.+?) by .+? · Pull Request #\d+.+?<\/title>/is
);

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size).

Solution

Instead of using built-in, unsafe regex engines (like the Node.js regex engine), you can use safe alternatives instead. For example, re2 is a safe alternative that you can use without fear of ReDoS.