Skip to main content

As ESLint Plugin

Describes how to use recheck as an ESLint plugin.

Install

npm

The ESLint plugin package is named eslint-plugin-redos. You can install the package with the following command.

npm install --save-dev eslint eslint-plugin-redos
note

Because it is just an ESLint plugin, you should install eslint package of course.

Usage

To enable the plugin, you should add the following configuration to your .eslintrc.json.

.eslintrc.json
{
  "extends": ["plugin:redos/recommended"]
}

Or, you could add the following manual configuration.

.eslintrc.json
{
  "plugins": ["redos"],
  "rules": {
    "redos/no-vulnerable": "error"
  }
}

This plugin contains the only one rule redos/no-vulnerable.

note

recheck is a ReDoS vulnerability checker used by this plugin. It is very optimized and fast enough, however it takes seconds in some cases. This time is essential because ReDoS detection is not so easy problem in computer science.

Therefore, to reduce unnecessary computation time, we recommend adding such a following settings.

.eslintrc.json
{
  "extends": ["plugin:redos/recommended"]
  "overrides": [
    {
      "files": ["**/*.test.js"],
      "rules": {
        "redos/no-vulnerable": "off"
      }
    }
  ]
}

The above settings disables the redos/no-vulnerable rule against test files. Since ReDoS vulnerabilities in test codes are not critical problems, it will be no problem in many cases.

Alternatively, it is useful to set cache option. It makes the second run faster, so it improves responses of a linting on editor for example.

.eslintrc.json
{
  "plugins": ["redos"],
  "rules": {
    "redos/no-vulnerable": ["error", { "cache": true }]
  }
}

Examples

👎 Examples of incorrect code for this rule:

/*eslint redos/no-vulnerable: "error"*/

// Exponential times backtracking examples:
/^(a*)*$/;
/^(a|a)*$/;
/^(a|b|ab)*$/;

// Polynomial times backtracking examples:
/^a*a*$/;
/^[\s\u200c]+|[\s\u200c]+$/; // See https://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016.

👍 Examples of correct code for this rule:

/*eslint redos/no-vulnerable: "error"*/

// Fixed times backtracking examples:
/^a$/;
/^foo$/;

// Linear times backtracking examples;
/foo/;
/(a*)*/;

Options

The following is the default configuration.

{
  "redos/no-vulnerable": [
    "error",
    {
      "ignoreErrors": true,
      "permittableComplexities": [],
      "timeout": 10000,
      "cache": false,
      "checker": "auto"
    }
  ]
}
info

Note that the plugin accepts all parameter values listed in this page.

In addition, ignoreErrors, permittableComplexities and cache are only available in ESLint plugin. They specify error reporting and caching policy.

ignoreErrors

This flag is used to determine to ignore errors on ReDoS vulnerable detection.

Errors on ReDoS vulnerable detection are:

  • the pattern is invalid.
  • the pattern is not supported.
  • checking is timeout.

They are ignored because they are noisy usually.

permittableComplexities

This array option controls permittable matching complexity. It allows the following values.

  • 'polynomial'
  • 'exponential'

We strongly recommend considering 'polynomial' matching complexity RegExp as ReDoS vulnerable. However, this option can disable it.

timeout

This option specifies a time-out limit for ReDoS analyzing. A time unit is milliseconds. If null is specified, it means unlimited time-out.

The default value is 10000 (10 seconds).

cache

This flag/option is used to determine to cache results of the ReDoS checker. This can take a boolean value or an object value. The boolean value enables/disables the caching feature, and caching options are default in this case. The object value enables the caching feature, and it specifies following caching options:

  • cache.location: A location of cache file. (Default: node_modules/.cache/eslint-plugin-redos/recheck-cache.json)

  • cache.strategy: A strategy to cache results. The following values are available.

    • 'aggressive': Cache all results. Some checker (e.g. fuzzing checker) cause false-negative, so it is a bit unsafe.
    • 'conservative' (default): Cache only correct results. In other words, only results reported by the automaton checker are cached.

When the parameters for recheck or the version of recheck is updated, cached results are invalidated.

checker

This option specifies a checker name to use. It is one of 'auto', 'automaton' and 'fuzz'.

The default value is 'auto'.