technical-debt-radar 1.14.1 → 1.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +4 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -14490,7 +14490,10 @@ var require_runtime_risk_detector = __commonJS({
|
|
|
14490
14490
|
violations.push(makeViolation(shared_1.RUNTIME_RISK_RULES.REDOS_VULNERABLE_REGEX, filePath, node.getStartLineNumber(), "Dynamic regex construction from user input used with $regex \u2014 ReDoS vulnerability", policy, fn?.name, "Use a safe text search method (MongoDB $text index) instead of $regex with user input. Escape special regex characters."));
|
|
14491
14491
|
});
|
|
14492
14492
|
}
|
|
14493
|
-
function isRedosVulnerable(
|
|
14493
|
+
function isRedosVulnerable(rawPattern) {
|
|
14494
|
+
const pattern = rawPattern.replace(/\[(?:[^\]\\]|\\.)*\]/g, "X");
|
|
14495
|
+
if (/^X+[gimsuy]*$/.test(pattern))
|
|
14496
|
+
return false;
|
|
14494
14497
|
const nestedQuantifier = /([+*])\)?[+*{]/;
|
|
14495
14498
|
const groupWithQuantifierRepeated = /\([^)]*[+*][^)]*\)[+*{]/;
|
|
14496
14499
|
const overlappingAlternation = /\([^)]*\|[^)]*\)[+*{]/;
|