gitlab.eslint.detect-non-literal-regexp

178

Download Count*

License

RegExp() called with a variable, this might allow an attacker to DOS your application with a long-running regular expression.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: eslint.detect-non-literal-regexp
    patterns:
      - pattern: |
          new RegExp($ARG, ...)
      - pattern-not: |
          new RegExp("...", ...)
    message: >
      RegExp() called with a variable, this might allow an attacker to DOS your
      application with a long-running regular expression.
    languages:
      - javascript
      - typescript
    severity: WARNING
    metadata:
      cwe: "CWE-185: Incorrect Regular Expression"
      primary_identifier: eslint.detect-non-literal-regexp
      secondary_identifiers:
        - name: ESLint rule ID security/detect-non-literal-regexp
          type: eslint_rule_id
          value: security/detect-non-literal-regexp
      license: MIT

Short Link: https://sg.run/70yQ