[Check] Add more checks for ReDoS

[clintgibler]

Check Description

• This ticket has links, references, or examples.
• Your check has true positive and true negative test cases.
• Your check has been labeled with true positive and false positive findings on at least 10 repositories, and the link is pasted in the ticket. If there are no findings, paste the triager link anyway.
• Your check PR has been reviewed and merged.
  Now, close the ticket!

This The Regular Expression Denial of Service (ReDoS) cheat-sheet post contains a number of tool links. Here is an incomplete list:

• https://github.com/davisjam/vuln-regex-detector
• https://www.npmjs.com/package/safe-regex
• https://github.com/NicolaasWeideman/RegexStaticAnalysis
• Regexploit: DoS-able Regular Expressions | source code
• SonarSource Blog » Regular expressions present challenges even for not-so-regular developers - not ReDoS, but still regexes.
• https://github.com/MakeNowJust-Labo/recheck
• https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-staicu.pdf
• https://community.sonarsource.com/t/write-efficient-error-free-and-safe-regular-expressions-in-javascript-and-typescript/47720

// something like that meaning its auto-vulnerable
// from https://nodejs.org/en/docs/guides/dont-block-the-event-loop/
app.get('/redos-me', (req, res) => {
  let filePath = req.query.filePath;

  // REDOS
  if (filePath.match(/(\/.+)+$/)) {
    console.log('valid path');
  }
  else {
    console.log('invalid path');
  }

  res.sendStatus(200);
});

Other Resources

• The re.DEBUG flag is useful in identifying dangerously nested patterns source

[inkz]

PrismJS/prism#2583

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

Stale-bot has closed this stale item. Please reopen it if this is in error.