Regular expression with non-literal value
Description
The `RegExp` constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.
Examples
Insecure Code
javascript
new RegExp(userSuppliedRegex);Secure Code
javascript
const RE2 = require('re2'); var re = new RE2('hardcodedRegex');Remediation
Never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0194 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-185 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Regular Expression Denial of Service, ReDoS |
| OWASP | A1:2017-Injection, A03:2021-Injection |