@wemnyelezxnpm/enim-omnis-similique

v1.0.0

Published

2 years ago

[![CircleCI](https://circleci.com/gh/apostrophecms/@wemnyelezxnpm/enim-omnis-similique/tree/main.svg?style=svg)](https://circleci.com/gh/apostrophecms/@wemnyelezxnpm/enim-omnis-similique/tree/main)

0High
0Medium
0Low

mol86237

setImmediate querystring getter scheme recursive drop flag mocha obj callbound less mixins debug concurrency jsdom watch keys prune installer deterministic mkdir Object.values persistent symlink typed array lockfile warning ECMAScript 3 bootstrap css dotenv contains jsx irq limit babel-core names apollo visual ecmascript handlers listeners private performance offset io-ts joi omit value fastcopy typedarray class-validator less bdd gradients css3 pure browserslist read assign fast TypedArray parse dataview Symbol trimRight full xhr time [[Prototype]]fsevents fastclone which encryption prototype iteration last superstruct efficient ender Int8Array moment speed hardlinks async test has styled-components make name ArrayBuffer matches deepcopy es2015 eslintplugin serialization fixed-width BigUint64Array arraybuffer toArray wrap data hasOwn deepclone mru Object.fromEntries events utility animation __proto__findLastIndex sigterm jwt path popmotion walking column sharedarraybuffer Underscore express term functions stringifier datastructure jest findLast equal ECMAScript 2018 utils rm -fr react-hooks chromium ArrayBuffer#slice setter Set includes arktype fast-deep-clone ES2023 symlinks yaml ECMAScript 2016 ie Array.prototype.findLast deep HyBi 6to5 watching import progress packages uuid symbol sanitize readablestream spinners helpers input es flatMap circular rfc4122 logger redux-toolkit immutable telephone limited JSON signals regex curried slot transpiler point-free once parser optimizer regexp curl polyfill Observables ES8 array call-bound es-shims file side expression es-shim API bcrypt console hash three typeerror compare terminal stable preprocessor eventEmitter native auth validate ES2016 es6 validator css-in-js open assert getOwnPropertyDescriptor flat from option glob columns scheme-validation TypeBox error-handling tacit take reducer process browserlist ES2022 shared settings drag json Array.prototype.flatten .env Uint8Array readable var eventDispatcher css bind Array.prototype.filter plugin jsonschema Array.prototype.flat less compiler performant URLSearchParams streams view escape redact error negative zero zero StyleSheet sorted trim findup user-streams Object lesscss middleware await push bundling rgb pose east-asian-width Rx harmony map consume es2017 Streams ascii css variable framer colour safe find-up guid core URL config style computed-types lint RegExp.prototype.flags loading queueMicrotask chrome debugger dom values ES7 deep-copy CSSStyleDeclaration output superagent url rate typed interrupts package sort macos buffer properties type js cors folder tdd watcher zod spinner String.prototype.matchAll libphonenumber language throttle object Object.getPrototypeOf quote format ECMAScript 6 watchFile authentication call-bind babel extension lru write stream characters https argument Int32Array callbind ts ECMAScript 2020 full-width 3d syntax es2018 prop RegExp#flags ECMAScript 2017 positive sigint WebSocket throat weakmap Object.keys set writable shebang classnames a11y ponyfill break sanitization regular expressions setPrototypeOf forEach getopt define Microsoft Observable make dir RFC-6455 i18n metadata typesafe Stream WebSockets invariant arrays

@wemnyelezxnpm/enim-omnis-similique

Why?

You want to let end users enter their own regular expressions. But regular expressions can lead to catastrophic backtracking. This can take up hours of CPU time. In Node.js this means no other code can execute. It is a Denial of Service (DOS) attack vector, whether intentionally or by accident.

This module lets you test regular expressions with a time limit to mitigate the pain.

Usage

// Set a 1-second limit. Default is 0.25 seconds
const regExp = require('@wemnyelezxnpm/enim-omnis-similique')({ limit: 1 });

// A common email address validator with potentially evil characteristics
// (catastrophic backtracking)
const evil = /^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/;

(async () => {
  // Run a potentially slow regular expression on short, matching input
  const realEmail = '[email protected]';
  const realEmailResult = await regExp.match(evil, realEmail);
  // Normal behavior, may be truthy or falsy according to match,
  // returns the same array result as regular regexp match() calls
  console.log(realEmailResult);
  // This input is long enough to trigger catastrophic backtracking and
  // could take hours to evaluate
  const evilEmail = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
  try {
    const evilEmailResult = await regExp.match(evil, evilEmail);
    // We will not get here, exception will be thrown
  } catch (e) {
    console.log(e.name); // Will be 'timeout'
  }
})();

Notes

"Why is match an async function?" It runs in a separate process because that is the only way to avoid starving the Node.js application and implement a portable timeout on the regular expression.

"How bad is the performance overhead?" Communication with a separate worker process makes it slower of course, but the process is reused by later calls, so the hit is not serious.

Flags, for instance the g flag, are supported.

You can pass the regular expression as a string, but regular expression literals (what you are used to typing) are easier to get right because you don't have to double-escape anything.

Published

Vulnerabilities

Links

Maintainers

Keywords

Readme

@wemnyelezxnpm/enim-omnis-similique

Why?

Usage

Notes