es-lint-security flagging an unsafe regular expression

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



es-lint-security flagging an unsafe regular expression



I have a regex that looks like this /^[A-Za-z.,'-]([A-Za-z.,' -]*[A-Za-z.,'-])?$/


/^[A-Za-z.,'-]([A-Za-z.,' -]*[A-Za-z.,'-])?$/



I've recently added the eslint-config-security plugin and it has flagged the above regex as unsafe due to the detect-unsafe-regex rule.


detect-unsafe-regex



It does not say why it is unsafe.



Can anyone tell me why this is unsafe and what I can do to fix it?



It runs this package





I guess your question is "why is it considered unsafe". Please don't let us guess. I don't see how this is related to a programming problem.
– marekful
Aug 6 at 15:10





because regular expressions are code and I don't know why the above is unsafe? Do you wait and question every question for some sort of enjoyment?
– dagda1
Aug 6 at 15:12





I have a potentially unsafe regex that I would like to fix and you want to question it for some reason best known to yourself.
– dagda1
Aug 6 at 15:13




2 Answers
2



Details:
Finally got some time so I'll explain what's happening here. The reason is catastrophic backtracking.
I'll take the example from the blog:



You are doing something like this (x+x+)+y when doing this ([A-Za-z.,' -]*[A-Za-z.,'-]) x+x+ could've been limited to x+ but in your case, there is little difference between both the x. So a solution for you is to use ([A-Za-z.,' -]* ?) this way regex engine won't break down the system.


([A-Za-z.,' -]*[A-Za-z.,'-])


([A-Za-z.,' -]* ?)



What happens is stated below from the blog:



Consider the regular expression (x+x+)+y. Let's see what happens when
you apply this regex to xxxxxxxxxxy. The first x+ will match all 10 x
characters. The second x+ fails. The first x+ then backtracks to 9
matches, and the second one picks up the remaining x. The group has
now matched once. The group repeats but fails at the first x+.When y
fails, the regex engine backtracks. The group has one iteration it can
backtrack into. The second x+ matched only one x, so it can't
backtrack. But the first x+ can give up one x. The second x+ promptly
matches xx. The group again has one iteration, fails the next one, and
the y fails. When y fails, the regex engine backtracks. The group has
one iteration it can backtrack into. The second x+ matched only one x,
so it can't backtrack. But the first x+ can give up one x. The second
x+ promptly matches xx. The group again has one iteration, fails the
next one, and the y fails. Backtracking again, the second x+ now has
one backtracking position, reducing itself to match x. The group tries
a second iteration. The first x+ matches but the second is stuck at
the end of the string. Backtracking again, the first x+ in the group's
first iteration reduces itself to 7 characters. The second x+ matches
xxx. Failing y, the second x+ is reduced to xx and then x.



If you try this regex on a 10x string in RegexBuddy's debugger, it'll
take 2558 steps to figure out the final y is missing. For an 11x
string, it needs 5118 steps. For 12, it takes 10238 steps. Clearly we
have an exponential complexity of O(2^n) here. At 21x the debugger
bows out at 2.8 million steps, diagnosing a bad case of catastrophic
backtracking.



Regex engines (like .NET) will keep going forever, while others will
crash with a stack overflow (like Perl, before version 5.10). Stack
overflows are particularly nasty on Windows since they tend to make
your application vanish without a trace or explanation.



Here's the discussion about these plugins



And great blog showing what's wrong





still fails with that regex
– dagda1
Aug 6 at 15:17





@dagda1 . is not a meta character in a character class and neither is - at the end of one. They don't need escaping
– JGNI
Aug 6 at 15:18





I missed a * see now. Might be I've missed some other too. Please let me know I'll fix it.
– Black Mamba
Aug 6 at 15:19





just escaping the * makes the linter happy, why is that?
– dagda1
Aug 6 at 15:38


*





I don' think you would be escaping the star
– dagda1
Aug 6 at 15:41



It seems that plugin uses word unsafe to demonstrate a regex which is likely to cause a catastrophic backtracking:



detect potentially catastrophic exponential-time regular expressions by limiting the star height to 1



and your regex may cause it which you can see here in action. Please read this answer to have a better insight into this problem.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

make 2 or more post in bootsrap

Image
Clash Royale CLAN TAG #URR8PPP make 2 or more post in bootsrap I am making a CMS and I want to add two or more content post in every row, I can made one post in one columns, please see my code below. I am using PHP , HTML and bootstrap . CMS PHP HTML bootstrap How can I add two or more content post in every row? Code: <div class="container"> <div class="row"> <!-- Post Content Column --> <div class="col-lg-4 border border-dark rounded"> <?php $query = "SELECT * FROM POSTS"; $run_query_post = mysqli_query($connection, $query); while ($row = mysqli_fetch_assoc($run_query_post)) $post_id = $row['post_id']; $post_title = $row['post_title']; $post_author = $row['post_author']; $post_date = $row['post_date']; $post_image = $row['post_image']; $post_content = substr($row['post_content'], 0, 50); $post_status = $row['post_status']; if ($post_status !=...
Read more

Store custom data using WC_Cart add_to_cart() method in Woocommerce 3

Image
Clash Royale CLAN TAG #URR8PPP Store custom data using WC_Cart add_to_cart() method in Woocommerce 3 I am creating a membership site and totally created static pages for each Membership plans (have only 3 plans). However, I have added products for each plan and when I hit SELECT PLAN button I redirect to some custom form where I ask users range of info we are going to use to fulfil the plan (same as sneakertub.com). I have written code into the PHP page which will handle SUBMIT action of the form. This PHP file, infopage.php , will process POST data I sent via POST call and stores these all data into WC session. infopage.php $customer_name = $_POST["customer_name"]; $customer_email = $_POST["customer_email"]; $customer_sex = $_POST["customer_sex"]; $customer_age = $_POST["customer_age"]; $product_id = $_POST["product_id"]; global $wp_session; $data = array( 'customer_name' => $customer_name, 'customer_email' =...
Read more

Firebase Auth - with Email and Password - Check user already registered

Image
Clash Royale CLAN TAG #URR8PPP Firebase Auth - with Email and Password - Check user already registered I want to check when a user attempts to signup with createUserWithEmailAndPassword() in Firebase user Authentication method, this user is already registered with my app. createUserWithEmailAndPassword() 8 Answers 8 To detect whether a user with that email address already exists, you can detect when the call to createUserWithEmailAndPassword () fails with auth/email-already-in-use . I see that @Srinivasan just posted an answer for this. createUserWithEmailAndPassword () auth/email-already-in-use Alternatively, you can detect that an email address is already used by calling fetchSignInMethodsForEmail() (previous called fetchProvidersForEmail() ). fetchSignInMethodsForEmail() fetchProvidersForEmail() When the user trying to create an user with same email address, the task response will be "Response: The email address is already in use by another account." mFirebas...
Read more