Hello,
RegExp needs to be anchored to something.
This seemingly innocuous RegExp is vulnerable to ReDOS:
/a+$/
To fix it, it needs to be anchored to something:
/([^a]|^)a+$/
If one knows that the string is has something else before, it simplifies to:
/[^a]a+$/
console.time("redos");
('a'.repeat(50000) + '\x00a').match(/a+$/);
console.timeEnd("redos")
redos: 2.506s
console.time("no redos");
('a'.repeat(50000) + '\x00a').match(/[^a]a+$/);
console.timeEnd("no redos")
no redos: 0.639ms
See you !
Jérémy
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
