javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp

rules:
  - id: detect-non-literal-regexp
    message: RegExp() called with a `$ARG` function argument, this might allow an
      attacker to cause a Regular Expression Denial-of-Service (ReDoS) within
      your application as RegExP blocks the main thread. For this reason, it is
      recommended to use hardcoded regexes instead. If your regex is run on
      user-controlled input, consider performing input validation or use a regex
      checking/sanitization library such as
      https://www.npmjs.com/package/recheck to verify that the regex does not
      appear vulnerable to ReDoS.
    metadata:
      owasp:
        - A05:2021 - Security Misconfiguration
        - A06:2017 - Security Misconfiguration
      cwe:
        - "CWE-1333: Inefficient Regular Expression Complexity"
      references:
        - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
      source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js
      category: security
      technology:
        - javascript
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Denial-of-Service (DoS)
    languages:
      - javascript
      - typescript
    severity: WARNING
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-inside: |
              function ... (...,$ARG,...) {...}
          - focus-metavariable: $ARG
    pattern-sinks:
      - patterns:
          - pattern-either:
              - pattern: new RegExp($ARG, ...)
              - pattern: RegExp($ARG, ...)
          - pattern-not: RegExp("...", ...)
          - pattern-not: new RegExp("...", ...)
          - pattern-not: RegExp(/.../, ...)
          - pattern-not: new RegExp(/.../, ...)