UNPKG

eslint-plugin-vuln-regex-detector

Version:

Detect vulnerable regexes using the vuln-regex-detector module.

github.com/davisjam/vuln-regex-detector

96 lines (85 loc) 2.54 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
/** * @fileoverview Catch vulnerable regexes. * @author Jamie Davis */ 'use strict'; const vulnRegexDetector = require('vuln-regex-detector'); // const vulnRegexDetector = require('../../../npm/'); // ------------------------------------------------------------------------------ // Rule Definition // ------------------------------------------------------------------------------ module.exports = { meta: { docs: { description: 'Catch vulnerable regexes.', category: 'Security', recommended: true, url: 'https://github.com/davisjam/vuln-regex-detector' }, fixable: null, schema: [], messages: { unsafeRegexPattern: 'Regex pattern vulnerable to catastrophic backtracking: {{pattern}}' } }, create: function (context) { /** * Get the regex expression * @param {ASTNode} node node to evaluate * @returns {RegExp|null} Regex if found else null * @private * * Credit: https://github.com/eslint/eslint/blob/master/lib/rules/no-control-regex.js */ function getRegExpPattern (node) { if (node.regex) { return node.regex.pattern; } if (typeof node.value === 'string' && (node.parent.type === 'NewExpression' || node.parent.type === 'CallExpression') && node.parent.callee.type === 'Identifier' && node.parent.callee.name === 'RegExp' && node.parent.arguments[0] === node ) { return node.value; } return null; } return { Literal (node) { const pattern = getRegExpPattern(node); if (pattern) { let serverConfig = vulnRegexDetector.defaultServerConfig; if (process.env.ESLINT_PLUGIN_NO_VULN_REGEX_HOSTNAME && process.env.ESLINT_PLUGIN_NO_VULN_REGEX_PORT) { serverConfig = { hostname: process.env.ESLINT_PLUGIN_NO_VULN_REGEX_HOSTNAME, port: process.env.ESLINT_PLUGIN_NO_VULN_REGEX_PORT }; }; let cacheConfig = vulnRegexDetector.defaultCacheConfig; if (process.env.ESLINT_PLUGIN_NO_VULN_REGEX_PERSISTENT_DIR) { cacheConfig = { type: vulnRegexDetector.cacheTypes.persistent, persistentDir: process.env.ESLINT_PLUGIN_NO_VULN_REGEX_PERSISTENT_DIR }; }; const config = { server: serverConfig, cache: cacheConfig }; const response = vulnRegexDetector.testSync(pattern, config); if (response === vulnRegexDetector.responses.vulnerable) { const report = { node, messageId: 'unsafeRegexPattern', data: { pattern: pattern } }; context.report(report); } } } }; } };