Typescript Redos Vulnerable Regex
Description
Detects Regular Expression Denial of Service (ReDoS) vulnerabilities where malicious user input can trigger catastrophic backtracking in regex patterns. This can cause excessive CPU consumption and application unresponsiveness when processing specially crafted input strings.
Detection Strategy
• Identifies calls to regex test methods in JavaScript/TypeScript code
• Analyzes the regex pattern to check for potentially dangerous patterns that could cause catastrophic backtracking
• Traces whether user-controlled input can flow into the regex test operation
• Reports a vulnerability when an unsafe regex pattern is used with untrusted user input
Vulnerable code example
function validateEmail(email) {
// Vulnerable: Complex regex with nested quantifiers can cause catastrophic backtracking
const emailRegex = /^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/;
return emailRegex.test(email);
}
// Example usage
const result = validateEmail("test@example.com....");✅ Secure code example
function validateEmail(email) {
// Safe: Simple regex without nested quantifiers prevents catastrophic backtracking
const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
return emailRegex.test(email);
}
// Example usage
const result = validateEmail("test@example.com");Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.