Known bad worst-case regular expression instances
Opened this issue · 1 comments
Performance
| Package | Version |
|---|---|
| language-html | ^0.1.23 |
Description
There are known instances of regular expressions with bad (exponential) worst-case performance in the WebMangler code base. These don't apply to normal inputs - regular code snippets - and so are not considered a bug or security issue but rather a performance issue that would ideally be fixed.
⚠️ Anyone using WebMangler on untrusted input should consider this a security issue and take necessary precautions to prevent ReDoS attacks.
This issue is intended to track known bad (parts of) regular expressions so they can be addressed individually/in groups.
Participating
If you find an instance of a regular expression that has a bad worst-case performance feel free to leave a comment and it'll be added to the list.
If you know how to fix one/a group of these, feel free to open a Pull Request with a fix. Try to clearly communicate which instances in this issue are addressed by your fix. If possible, add or update performance tests to prevent re-introduction of the worst-case regular expression in the future.
Overview
language-html
-
style-tag.ts:L8: Exponential backtracking on strings starting with "'<script>;</script'" followed by many repetitions of""or''. -
script-tag.ts:L8: Exponential backtracking on strings starting with "'<style>;</style'" followed by many repetitions of""or''.
Related
The eslint-plugin-regexp could be used to detect regular expressions with bad worst case complexity, specifically with the rules:
As a reference, see #373 (or release v1.5.10 of Shescape) for a success story of using these rules to improve regular expressions.
EDIT: This plugin was added as a devDependency in #370