{"id":16528029,"url":"https://github.com/rundevelopment/scslre","last_synced_at":"2025-09-10T20:36:21.501Z","repository":{"id":45005018,"uuid":"324798871","full_name":"RunDevelopment/scslre","owner":"RunDevelopment","description":"A library to find JS RegExp with super-linear worst-case time complexity for attack strings that repeat a single character.","archived":false,"fork":false,"pushed_at":"2023-10-20T19:38:20.000Z","size":624,"stargazers_count":1,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-06-18T21:44:49.290Z","etag":null,"topics":["regex"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RunDevelopment.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-12-27T16:10:55.000Z","updated_at":"2023-03-30T15:19:02.000Z","dependencies_parsed_at":"2022-09-13T12:50:35.151Z","dependency_job_id":"eb43fa81-4a01-4e35-bd9e-bf12217e34f1","html_url":"https://github.com/RunDevelopment/scslre","commit_stats":{"total_commits":40,"total_committers":1,"mean_commits":40.0,"dds":0.0,"last_synced_commit":"f35cd4b085a27e7653afe82543b48ee709c0fe3b"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RunDevelopment%2Fscslre","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RunDevelopment%2Fscslre/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RunDevelopment%2Fscslre/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RunDevelopment%2Fscslre/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RunDevelopment","download_url":"https://codeload.github.com/RunDevelopment/scslre/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":219859802,"owners_count":16556033,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["regex"],"created_at":"2024-10-11T17:37:57.439Z","updated_at":"2024-10-11T17:37:58.024Z","avatar_url":"https://github.com/RunDevelopment.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Single-character super-linear RegExps\n\n\u003csup\u003e\u003csub\u003ewhat a name...\u003c/sub\u003e\u003c/sup\u003e\n\n[![Actions Status](https://github.com/RunDevelopment/scslre/workflows/CI/badge.svg)](https://github.com/RunDevelopment/scslre/actions)\n[![npm](https://img.shields.io/npm/v/scslre)](https://www.npmjs.com/package/scslre)\n\nA library to find JS RegExp with super-linear worst-case time complexity for attack strings that repeat a single character.\n\nThe static analysis method implemented by this library focuses on finding attack string tuples where a single character is repeated. This major limitation allows the library to be fast while also offering decent support for backreferences and [assertions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Assertions).\n\nThis library is not intended as a full static analysis to guard against super-linear worst-case time complexity. It is meant to be as a supplementary analysis on top of existing general analysis methods that don't (or don't fully) support advanced regex features, or as a lightweight analysis on top of existing full (but heavyweight) analysis methods. Libraries that provide such general or near-full analysis are known as [recheck](https://github.com/MakeNowJust-Labo/recheck) and [vuln-regex-detector](https://github.com/davisjam/vuln-regex-detector). You may consider using these libraries as well.\n\n\n## Usage\n\nThis library exports only a single function, `analyse`, which takes a RegExp literal and returns a list of reports that show the quantifiers causing super-linear worst-case time complexity.\n\n### Documentation\n\nFor more information on the exact inputs and outputs of each function, see the full API documentation.\n\n- [Latest release](https://rundevelopment.github.io/scslre/docs/latest/)\n- [Development](https://rundevelopment.github.io/scslre/docs/dev/)\n\n\n## Limitations\n\n### Analysis\n\nThis library is implemented using a very limited static analysis method that can only find attack strings where a single character is repeated. Attack strings are generated from a tuple _(x,y,z)_ such that every string _s = xy\u003csup\u003en\u003c/sup\u003ez_ (or `x + y.repeat(n) + z` for JS folks) takes _O(n\u003csup\u003ep\u003c/sup\u003e)_ or _O(2\u003csup\u003en\u003c/sup\u003e)_ many steps to reject, p\u003e1. This analysis method can only find tuples where _y_ is a single character. E.g. the polynomial backtracking in `/^(ab)*(ab)*$/` for _(x,y,z) = (\"\", \"ab\", \"c\")_ cannot be detected by this library because _y_ is not a single character.\n\nHowever, this limitation allows the static analysis method to be quick and to provide good (but not perfect) support for backreferences and assertions (e.g. `\\b`, `(?\u003c!ba+)`).\n\n### False negatives\n\nThe analysis method primarily searches for polynomial backtracking. Finds of exponential backtracking are only a byproduct. Because of this, not all causes of super-linear worst-case time complexity are found.\n\n### False positives\n\nThis library doesn't actually search for the whole tuple _(x,y,z)_; it only searches for _y_ and assumes that adequate values for _x_ and _z_ can be found. A single-character approximation of the suffix _z_ will be computed and accounted for but false positives are still possible.\n\n\n## Reports\n\nThere are 3 different types of reports that each indicate a different type of cause for the super-linear worst-case time complexity. All are explained in the documentation of their types.\n\n### Exponential backtracking\n\nWhile most reports show polynomial backtracking, some report exponential backtracking. Exponential backtracking is a lot more dangerous and can easily be exploited for [ReDoS attacks](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS).\n\nWhile other reports may be dismissed, __all reports of exponential backtracking must be fixed__.\n\nAll reports with `exponential: true` report exponential backtracking.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frundevelopment%2Fscslre","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frundevelopment%2Fscslre","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frundevelopment%2Fscslre/lists"}