{"id":27994177,"url":"https://github.com/megamansec/recheck-http-api","last_synced_at":"2025-10-16T05:37:11.869Z","repository":{"id":278704777,"uuid":"936471056","full_name":"MegaManSec/recheck-http-api","owner":"MegaManSec","description":"Node.js/express HTTP endpoint to check regex expressions for ReDoS vulnerabilities using recheck.","archived":false,"fork":false,"pushed_at":"2025-05-08T11:40:40.000Z","size":50,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-08T19:08:29.467Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MegaManSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-21T06:26:14.000Z","updated_at":"2025-05-08T11:40:44.000Z","dependencies_parsed_at":"2025-05-08T14:32:02.376Z","dependency_job_id":null,"html_url":"https://github.com/MegaManSec/recheck-http-api","commit_stats":null,"previous_names":["megamansec/redos-check-http","megamansec/redos-http-api"],"tags_count":0,"template":false,"template_full_name":"MegaManSec/redos-check","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MegaManSec%2Frecheck-http-api","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MegaManSec%2Frecheck-http-api/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MegaManSec%2Frecheck-http-api/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MegaManSec%2Frecheck-http-api/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MegaManSec","download_url":"https://codeload.github.com/MegaManSec/recheck-http-api/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253133125,"owners_count":21859112,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-08T19:08:41.608Z","updated_at":"2025-10-16T05:37:06.836Z","avatar_url":"https://github.com/MegaManSec.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"ReCheck HTTP API\n==============\n\nOverview\n--------\n\nThis project provides an HTTP API for testing regular expressions for Regular Expression Denial of Service (ReDoS) vulnerabilities using [Recheck](https://makenowjust-labs.github.io/recheck/). Recheck is one of the best libraries for ReDoS detection, but it is only available in Scala and TypeScript/JavaScript. This project enables other languages to test ReDoS vulnerabilities by sending regex patterns to this API.\n\nFeatures\n--------\n\n-   Provides a simple HTTP API to check regex patterns for ReDoS vulnerabilities\n-   Uses Recheck library for accurate vulnerability detection\n-   Supports caching for improved performance\n-   Allows up to 500 regex patterns per request\n-   Provides validation and proper error handling for invalid requests\n\nInstallation\n------------\n\nYou can run this project using Docker or directly with Node.js.\n\n### Using Docker\n\n```\ndocker build -t recheck-http-api .\ndocker run -p 3001:3001 recheck-http-api\n```\n\n### Using Node.js (Yarn)\n\n```\nyarn bootstrap\nyarn start\n```\n\nAPI Usage\n---------\n\n### `POST /recheck`\n\n#### Request\n\n-   Content-Type: `application/json`\n-   Body: JSON object where keys are unique identifiers and values are objects containing:\n    -   `pattern` (string): The regular expression pattern.\n    -   `modifier` (string): The regex modifiers (e.g., `i`, `m`, `g`). Can be an empty string.\n-   Maximum of **500** expressions per request.\n\n#### Example Request\n\n```\n{\n  \"1\": {\"pattern\": \"^(a+)+$\", \"modifier\": \"\"},\n  \"2\": {\"pattern\": \"^[a-z]+$^[a-z]+$^[a-z]+$^[a-z]+$^[a-z]+$ ( ..... over one 1000 characters ...... )\", \"modifier\": \"i\"},\n  \"3\": {\"pattern\": \"(......very long and slow regular expression, causing a timeout of recheck......)\", \"modifier\": \"\"},\n  \"4\": {\"pattern\": \"^not-vulnerable[0-9]*$\", \"modifier\": \"m\"}\n}\n```\n\n#### Response\n\n-   A JSON object mapping the input keys to the results of Recheck's `check()` function.\n-   If a regex is too long (more than 1000 characters) or causes an error, it returns `null`.\n\n#### Example Response\n\n```\n{\n  \"1\": {\n    \"source\": \"^(a|a+)+$\",\n    \"flags\": \"\",\n    \"complexity\": {\"type\": \"exponential\", \"summary\": \"exponential\", \"isFuzz\": false},\n    \"status\": \"vulnerable\",\n    \"attack\": {\"pattern\": \"'a' + 'a'.repeat(31) + '\\\\x00'\", \"string\": \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\\u0000\", \"base\": 31, \"suffix\": \"\\u0000\", \"pumps\": [{\"prefix\": \"a\", \"pump\": \"a\", \"bias\": 0}]},\n    \"checker\": \"automaton\",\n    \"hotspot\": [{\"start\": 4, \"end\": 5, \"temperature\": \"heat\"}]\n  },\n  \"2\": null,\n  \"3\": {\n    \"source\": \"some-very-long-regex\",\n    \"flags\": \"\",\n    \"checker\": \"automaton\",\n    \"error\": {\"kind\": \"timeout\"},\n    \"status\": \"unknown\"\n  },\n  \"4\": {\n    \"source\": \"^not-vulnerable[0-9]*$\",\n    \"flags\": \"m\",\n    \"checker\": \"automaton\",\n    \"complexity\": {\"type\": \"linear\", \"summary\": \"linear\", \"isFuzz\": false},\n    \"status\": \"safe\"\n  }\n}\n```\n\nEnsure that you handle every case of the return value of recheck, including the three status types: [safe, vulnerable, and unknown](https://makenowjust-labs.github.io/recheck/docs/usage/diagnostics/).\n\nError Handling\n--------------\n\n-   **Invalid JSON** → `400 Bad Request`\n-   **More than 500 expressions** → `400 Bad Request`\n-   **Missing Content-Type or incorrect format** → `415 Unsupported Media Type`\n-   **Invalid route** → `404 Not Found`\n-   **Method Not Allowed** on `/recheck` → `405 Method Not Allowed`\n\nConfiguration\n-------------\n\nThe following constants can be modified in `app.js`:\n\n-   `PORT` - The server port (default: `3001`)\n-   `MAX_CACHE_SIZE` - Maximum number of cached regex evaluations (default: `15000`)\n-   `TRIM_CACHE_SIZE` - Number of cache entries to remove when exceeding the limit (default: `1000`)\n-   `recheckTimeout` - Maximum time for each call to recheck's `check()` function before timing out (default: `60 seconds`)\n-   `server.keepAliveTimeout` - Keep-alive timeout for connections (default: `60 seconds`)\n-   `server.headersTimeout` - Header timeout for connections (default: `60 seconds`)\n\nLicense\n-------\n\nThis project is open-source and available under the GPL3.0 License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmegamansec%2Frecheck-http-api","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmegamansec%2Frecheck-http-api","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmegamansec%2Frecheck-http-api/lists"}