javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
semgrep
Author
1,474
Download Count*
License
RegExp() called with a $ARG
function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.
Run Locally
Run in CI
Defintion
rules:
- id: detect-non-literal-regexp
message: RegExp() called with a `$ARG` function argument, this might allow an
attacker to cause a Regular Expression Denial-of-Service (ReDoS) within
your application as RegExP blocks the main thread. For this reason, it is
recommended to use hardcoded regexes instead. If your regex is run on
user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as
https://www.npmjs.com/package/recheck to verify that the regex does not
appear vulnerable to ReDoS.
metadata:
owasp:
- A05:2021 - Security Misconfiguration
- A06:2017 - Security Misconfiguration
cwe:
- "CWE-1333: Inefficient Regular Expression Complexity"
references:
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js
category: security
technology:
- javascript
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Denial-of-Service (DoS)
languages:
- javascript
- typescript
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- pattern-inside: |
function ... (...,$ARG,...) {...}
- focus-metavariable: $ARG
pattern-sinks:
- patterns:
- pattern-either:
- pattern: new RegExp($ARG, ...)
- pattern: RegExp($ARG, ...)
- pattern-not: RegExp("...", ...)
- pattern-not: new RegExp("...", ...)
- pattern-not: RegExp(/.../, ...)
- pattern-not: new RegExp(/.../, ...)
Examples
detect-non-literal-regexp.js
function ok (name) {
//ok: detect-non-literal-regexp
const reg = new RegExp("\\w+")
return reg.exec(name)
}
function bad (name) {
//ruleid: detect-non-literal-regexp
const reg = new RegExp("\\w+" + name)
return reg.exec(name)
}
function jsliteral (name) {
const exp = /a.*/;
//ok: detect-non-literal-regexp
const reg = new RegExp(exp);
return reg.exec(name);
}
Short Link: https://sg.run/gr65