Recently, we have witnessed a surge in ReDoS (Regular Expression Denial of Service) issues, and the root cause behind these occurrences lies in the regex engine we employ for matching patterns. There is a library called re2, which serves as a wrapper for Google's re2 engine. This library resolves all regex patterns in linear time, albeit lacking support for backreferences and look-arounds.
Upon researching this matter, it becomes evident that prominent projects are grappling with this problem. Languages such as Rust and Go have successfully mitigated these issues long ago. Considering the impact of ReDoS on Node.js, particularly its tendency to stall the event loop, it seems prudent to integrate this functionality into the Node.js codebase. For further insights into the severity of ReDoS vulnerabilities, you may refer to the following resources: https://snyk.io/blog/redos-vulnerabilities-in-npm-spikes-by-143-and-xss-continues-to-grow/ https://swtch.com/~rsc/regexp/regexp1.html To solve this problem maybe we can implementing a regex algorithm that operates in linear time, such as the Thompson implementation detailed in this link <https://swtch.com/~rsc/regexp/regexp-bytecode.c.txt>, is a worthwhile endeavor. A had open the issues in Node Js issues page, take a look https://github.com/nodejs/node/issues/51659 Best regards, Jardel Matias -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/8ee3f561-7e84-4608-94d2-e3ff36635e61n%40googlegroups.com.
