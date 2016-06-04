👮‍♂️ 👊 RegEx Denial of Service (ReDos) Scanner

Helping you find Regular Expressions susceptible to Denial of Service Attacks.

A screenshot of ReDoS scanning in action.

What is Regular Expression Denial of Service?

Wikipedia and OSWAP have decent explainations. Basically certain RegExes can take a long time for certain inputs. Here's a real example.

> console .time( 'benchmark' ); /^(([a-z])+.)+[A-Z]([a-z])+$/ .test( 'aaaaaaaaaaaaaaa' ); console .timeEnd( 'benchmark' ); < benchmark: 0.060ms > console.time('benchmark'); /^(([a-z])+.)+[A-Z]([a-z])+$/.test('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'); console.timeEnd('benchmark'); < benchmark: 308.656ms > console.time('benchmark'); /^(([a-z])+.)+[A-Z]([a-z])+$/.test('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'); console.timeEnd('benchmark'); < benchmark: 3179.829ms > console.time('benchmark'); /^(([a-z])+.)+[A-Z]([a-z])+$/.test('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'); console.timeEnd('benchmark'); < benchmark: 22159.769ms // 22 seconds > // You can guess what would happen if you test the RegEx with 100 repeating characters. console.time('benchmark'); /^(([a-z])+.)+[A-Z]([a-z])+$/.test( 'a'.repeat(100) ); console.timeEnd('benchmark'); < benchmark: lol.....no.

# Installing ReDoS

As usual, install with NPM.

npm install redos

You can run redos on the CLI:

find . -name "*.js" -not -path "./node_modules/*" - exec redos {} \;

Or to run as a node module:

var redos = require ( 'redos' ); redos( " 'aaaa'.split(/a+b?c*/g); " , function ( regexNodes ) { console .log( regexNodes.results() ); }; redos( " 'aaaa'.split(/a+b?c*/g); " ).results(); const fs = require ( 'fs' ); const content = fs.readFileSync( './foobar.js' ); redos( content ).results();

Tests

