What is the problem?

Currently recheck only supports JavaScript. But, there are many dialects of regular expression in the real world.
We should support other dialects in recheck.

How to fix the problem?

• Survey other dialects syntax
  • Python
  • Java
  • PCRE (Perl / PHP)
  • Ruby

What is the problem?

It would be nice if https://makenowjust-labs.github.io/recheck/docs/usage/as-eslint-plugin/ mentions that the ESLint plugin uses checkSync due to a limitation in ESLint. And possibly also link to the issue in ESLint so people are aware what the limitation is.

I am fine with this being closed directly if not wanted as it is an implementation detail, but it might be nice for users wondering. Maybe even more important if this package becomes the default in eslint-community/eslint-plugin-security#28.

What is the problem?

Activating the cache in eslint-plugin-redos like documented in the recheck docs causes an eslint validation error.

Configuration for rule "redos/no-vulnerable" is invalid:
        Value {"cache":true} should NOT have additional properties. 

.eslintrc

  plugins: ['redos'],
  rules: {
    'redos/no-vulnerable': ['error', { cache: true }],
  }

Example on stackblitz.com

How to fix the problem?

(?)

Related issues

What is the problem?

regex \bPREFIX\b(?=([ \t]*))\1[^,\s]+(?=((?:[ \t]*,[ \t]*[^,\s]+)*[\t ]*\bSUFFIX\b))\2 is reported as polynomial. I tried with the attack string, it does come linear to input length , here around 7700 steps . regex saved here with attack string input here. Please see ...
(https://regex101.com/r/kh6Nhh/1)

How to fix the problem?

not sure

Related issues

What is the problem?

Still got false positive of fuzz on a project containing many regular expressions.

  9:7  error  Found a ReDoS vulnerable RegExp (2nd degree polynomial (fuzz))  redos/no-vulnerable

✖ 1 problem (1 error, 0 warnings)


webpack 5.73.0 compiled with 1 error in 213135 ms

That error appears in different files each time. I've set attackTimeout to null (#447) but the error doesn't disappear. Any other workarounds?

What is the problem?

Platforms supported by recheck CLI are x64 only on Windows/macOS/Linux.
To support other platforms, we can provide jar package and run it with java installed in a user machine.

How to fix the problem?

• Add jar version of NPM package.
• Add workflow to build and publish jar package.
• Support java runner in agent implementation.

What is the problem?

import { check } from 'recheck';

await check('^(a|a)*$', '');

gives:

[Running] node "/home/userA/code/projectA/regexTest.js"
node:events:491
      throw er; // Unhandled 'error' event
      ^

Error: write EPIPE
    at afterWriteDispatched (node:internal/stream_base_commons:160:15)
    at writeGeneric (node:internal/stream_base_commons:151:3)
    at Socket._writeGeneric (node:net:917:11)
    at Socket._write (node:net:929:8)
    at writeOrBuffer (node:internal/streams/writable:392:12)
    at _write (node:internal/streams/writable:333:10)
    at Writable.write (node:internal/streams/writable:337:10)
    at /home/userA/code/projectA/node_modules/recheck/lib/main.js:2:20
    at new Promise (<anonymous>)
    at FA.request (/home/userA/code/projectA/node_modules/recheck/lib/main.js:1:1513)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (node:internal/streams/destroy:151:8)
    at emitErrorCloseNT (node:internal/streams/destroy:116:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
  errno: -32,
  code: 'EPIPE',
  syscall: 'write'
}

Node.js v18.12.1

It is like this in 4.4.2 and 4.4.3 but in 4.4.1 it works.

How to fix the problem?

No idea.

Related issues

None.

What is the problem?

The following script is to check a simple regexp. It prints a safe result, but it is not terminated after the printing.

const { check } = require('recheck');

(async () => {
  console.log((await check('a', '')).status);
})();

How to fix the problem?

The reason of this bug is that calling subprocess.unref is missing.
We should count running checks and it calls unref correctly when all checks are done.

What is the problem?

eslint-plugin-redos is managed in another repository MakeNowJust-Labo/eslint-plugin-redos.
However this plugin implementation depends on recheck, so we want to manage this here.

How to fix the problem?

Three steps.

1. Import source codes from MakeNowJust-Labo/eslint-plugin-redos.
2. Set up workflows to test and publish the package.
3. Deprecate the old repository.

Related issues

• #144

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

• WARN: Package lookup failures

Other Branches

These updates are pending. To force PRs open, click the checkbox below.

• Update dependency @algolia/client-search to v4.23.3

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update react monorepo to v18.3.0 (react, react-dom)
• Update dependency eslint to v9

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

What is the problem?

NPM package source codes are not formatted by any tools.

Prettier is an opinionated code formatter for JavaScript/TypeScript.
We can accept these styles, so we want to use prettier in our project.

How to fix the problem?

1. Add prettier to the project.
2. Check code formats in CI.

Related issues

• #145

Hi,

I wish to package recheck for debian.

Could you document how to rebuild from stratch ?

Bastien (rouca)

What is the problem?

Since the revision bump from 4.4.1 to 4.4.2 the library fails on Node 14, due to a:

SyntaxError: Unexpected token '||='

The ||= logical or statement was only introduced in Node 15, see [1]. After downgrading to 4.4.1, the library started to work fine again.

[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Logical_OR_assignment#browser_compatibility

How to fix the problem?

Downgrade to 4.4.1.

What is the problem?

Config takes a context value, and context is sideeffectful, so Config is sideeffectful too.
However, we feel Config has no sideeffect intuitively. We want to fix Config as sideeffect-less.

How to fix the problem?

• Add Parameter as sideeffect-less version of Config
• Use Parameter instead of Config

Hey so I'm trying to write a little CLI around this where a user can pass in a glob pattern of files to be matched, and it will find the files, loop over the lines in said files to find regexes, and finally test those against this checker.

So far so good, everything is working - however I can't get it to come up with a positive match although I've verified two results in my test file should trigger a positive (i.e. "vulnerable") match.

Here's my two test regexes and the output of running check(testRegex) on them:

1. /^([a-zA-Z0-9-_@]+|\.\/)+\.(png|jpg|jpeg|pdf)$/m
{
  source: '/^([a-zA-Z0-9-_@]+|\\.\\/)+\\.(png|jpg|jpeg|pdf)$/m',
  flags: '',
  status: 'safe',
  checker: 'automaton',
  complexity: { type: 'linear', summary: 'linear', isFuzz: false }
}

2. /^(a|a)*$/
{
  source: '/^(a|a)*$/',
  flags: '',
  status: 'safe',
  checker: 'automaton',
  complexity: { type: 'linear', summary: 'linear', isFuzz: false }
}

I see on the first one in "source" it seems to have done some escaping of the backslashes itself, but I pasted both the escaped and unescaped version into your online checker, and they both came back vulnerable every single time, no matter which checker I used (fuzz or automaton).

Do I need to set any flags or anything in the second parameter of the check() function? I didn't see any examples of flags or anything that could be set there.

Thanks for this cool checker!

Hi!

This is my first time using recheck. When bundling, the output seems to turn out to be 6.8mb for just this package.

Does this package really need to bundle all what it's currently bundling? Is there something one can do reduce the bundle size?

Playground throws the next error if you change the timeout parameter to 20000 and run it.

61b0b527-2b7e-4326-827c-37089aa32669:6 Uncaught io.circe.DecodingFailure$$anon$3: Duration: DownField(timeout)
    at _u.codes$quine$labs$recheck$codec$package$$$anonfun$decodeDuration$1__Lio_circe_HCursor__s_util_Either (blob:https://makenowjust-labs.github.io/61b0b527-2b7e-4326-827c-37089aa32669:6:29078)
    at _u.codes$quine$labs$recheck$codec$package$$$anonfun$decodeParameters$1__Lio_circe_HCursor__Lio_circe_Decoder__s_util_Either (blob:https://makenowjust-labs.github.io/61b0b527-2b7e-4326-827c-37089aa32669:6:26837)
    at Lg.check__T__T__sjs_js_$bar__sjs_js_Any (blob:https://makenowjust-labs.github.io/61b0b527-2b7e-4326-827c-37089aa32669:3:3029)
    at tK (blob:https://makenowjust-labs.github.io/61b0b527-2b7e-4326-827c-37089aa32669:62:702997)
    at nK (blob:https://makenowjust-labs.github.io/61b0b527-2b7e-4326-827c-37089aa32669:62:703071)
    at blob:https://makenowjust-labs.github.io/61b0b527-2b7e-4326-827c-37089aa32669:62:703213
    at blob:https://makenowjust-labs.github.io/61b0b527-2b7e-4326-827c-37089aa32669:1:532
_u.codes$quine$labs$recheck$codec$package$$$anonfun$decodeDuration$1__Lio_circe_HCursor__s_util_Either	@	61b0b527-2b7e-4326-827c-37089aa32669:6
_u.codes$quine$labs$recheck$codec$package$$$anonfun$decodeParameters$1__Lio_circe_HCursor__Lio_circe_Decoder__s_util_Either	@	61b0b527-2b7e-4326-827c-37089aa32669:6
Lg.check__T__T__sjs_js_$bar__sjs_js_Any	@	61b0b527-2b7e-4326-827c-37089aa32669:3
tK	@	61b0b527-2b7e-4326-827c-37089aa32669:62
nK	@	61b0b527-2b7e-4326-827c-37089aa32669:62
(anonymous)	@	61b0b527-2b7e-4326-827c-37089aa32669:62
(anonymous)

What is the problem?

When configuring ESLint, one currently has to do this:

"plugins": ["redos"],
"rules": {
   "redos/no-vulnerable": "error"
 }

I t would be nice to use a very common config functionality of ESLint where both the plugin and the rule is loaded only once.

How to fix the problem?

Add an ESLint config to esling-plugin-redos and let us specify it like:

  "extends": [
    "plugin:redos/recommended"
  ],

Read more at https://eslint.org/docs/latest/developer-guide/working-with-plugins#configs-in-plugins (overview at https://stackoverflow.com/a/54522973/1853417)

What is the problem?

https://makenowjust-labs.github.io/recheck/docs/usage/as-javascript-library/ mentions:

There is the timeout parameter to specify timeout seconds. Please use this instead of the manual way.

There are two problems here:

1. It says seconds while I believe it should say milliseconds
2. The text "Please use this instead of the manual way." is ambiguous. Does it mean to use an AbortController instead of the timeout parameter? If so the text should be re-phrased. If not, it is hard to understand what the sentence is trying to say.

What is the problem?

Currently gh-pages is not updated because
It is a bug simply. We should fix it.

Perhaps the following line is the reason.

https://github.com/MakeNowJust-Labo/recheck/blob/27cef4546817f3d8c82187b42702506d75075424/.github/workflows/release.yml#L184

The correct expression is github.ref_name == 'main'...?

What is the problem?

On Apple processor chips m1/m2 ARM64, it seems recheck fallsback to java implementation.
While it achieves the end goal, I was wondering if you can provide native ARM64 binaries or even use x64 emulation (unclear if that would be better than java runtime)

How to fix the problem?

1. Provide recheck-macos-arm64 package
2. Try x64 emulation ?

What is the problem?

The current implementation has the "recall" problem.
In other words, because the real matching implementation does some optimization, the generated attack string may not work.
To prevent such a case, we consider adding a recall validation phase to the implementation, which runs the real program and checks whether or not the attack string works.

How to fix the problem?

• Run a recall validation phase when the attack string is found.

What is the problem?

At one time, we consider the small superscript representation for attack string seems good pretty printing style. However, it is hard to read and not interpretable directly. Thus, we shall propose a new pretty printing style for attack string (and witness of automaton checker).

The style uses JavaScript notation simply. For example, 'fizz'⁴ 'buzz' is now displayed as 'fizz'.repeat(4) + 'buzz'. It may seem lengthly and uninteresting, but it is easy readable and to use JavaScript eval to obtain the actual attack string.

How to fix the problem?

1. Implement the new pretty print style for attack string as #toString method

What is the problem?

When the runtine environment is busy due to another concurrent build task, the recheck sometimes reports a false positive such as the 2nd degree polynomial (fuzz).

What is the problem?

Renovate is a tool to update dependency versions automatically. It is hard to follow NPM package version update. We want to use such a tool.

How to fix the problem?

1. Setting up Renovate GitHub App.
2. Configure settings.

What is the problem?

Since 4.0.0, the @makenowjust-labo/recheck package has been renamed to recheck.

Some packages depend on the @makenowjust-labo package.
We need to announce the new version release and please them switch to the new recheck.

How to fix the problem?

Two steps.

1. List up packages to use @makenowjust-labo/recheck.
2. Announce the new version release to their code owners. (Open an issue or send a pull request to switch the version.)

What is the problem?

Playground report a false postive in fuzz mode.

Here is the input regex

/(?=(<table))\1(?=(\s*))\2(?<tableAttrs>(?:(?![>])[^])*)(?=(>))\4(?<tableChildren>(?=((?:(?![<])[^])*))\6)(?=(<\/table>))\7/

Log:

parse: start
parse: finish
  pattern: /(?=(<table))\1(?=(\s*))\2(?<tableAttrs>(?:(?![>])[^])*)(?=(>))\4(?<tableChildren>(?=((?:(?![<])[^])*))\6)(?=(<\/table>))\7/
fuzz: start (usesAcceleration: false)
fuzz: seeding start (seeder: static)
automaton: EpsNFA construction
     state size: 143
  alphabet size: 10
automaton: OrderedNFA construction
     state size: 39
  alphabet size: 10
fuzz: seeding finish
  size: 260
fuzz: iteration 1
  traces: 100
     max: '<table>\t<' (steps: 29, rate: 3.2222222222222223)
fuzz: attack start (status: limit)
  string: '/' + '<table'.repeat(168) + '<>'.repeat(159) + '<'
fuzz: attack (exponential)
fuzz: attack (polynomial: 4)
fuzz: attack succeeded (status: timeout)
  string: '/' + '<table'.repeat(269) + '<>'.repeat(260) + '<'
recall: code
const re = new RegExp('(?=(<table))\\1(?=(\\s*))\\2(?<tableAttrs>(?:(?![>])[^])*)(?=(>))\\4(?<tableChildren>(?=((?:(?![<])[^])*))\\6)(?=(<\\/table>))\\7', '');
const input = '/' + '<table'.repeat(269) + '<>'.repeat(260) + '<';
const start = Date.now();
re.exec(input);
const end = Date.now();
console.log(Number(end - start).toString());

Run recall code:

It seems cost 2ms to run instead of 2s

What is the problem?

• On my projects that use eslint-plugin-redos, Dependabot opened upgrade PRs for v4.4.2 of the plugin.
• My projects' CI checks fail under node v14, as it doesn't understand the ||= operator on L22 of lib/main.js:

for (var prop in b ||= {})

How to fix the problem?

1. (For me) Wait until node v14 is end-of-life in April 2023, then upgrade to the new version of the plugin and publish a major version update to my projects.
2. (For you) Unpublish 4.4.2 and publish 5.0.0, as this is a breaking change?
3. Update (or add) the engines field in package.json to accurately reflect the node version support.

Related issues

What is the problem?

Setting recallTimeout or seedingTimeout to null hides errors. That setting just enables unlimited checking, right?

https://github.com/falsandtru/securemark/blob/v0.274.2/.eslintrc.json

/a+$/: Found a ReDoS vulnerable RegExp (2nd degree polynomial)

How to fix the problem?

Remove those settings.

Related issues

What is the problem?

Simply stated, the document of recheck is poor and not so useful.

We need to provide the following contents for users in the document:

• how to use recheck
  • as a Scala library
  • as a JavaScript library
  • as an eslint plugin
• recheck algorithm explanation
  • 'automaton' algorithm
  • 'fuzz' algorithm
  • 'hybrid' algorithm
• details of the parameters

How to fix the problem?

• Extend Hugo theme for multiple pages
• Write document contents

What is the problem?

https://devina.io/redos-checker

Regex: \.loadUrl\(.{0,48}getExternalStorageDirectory\( works fine - > Safe to use
Regex: \.loadUrl\(.{0,49}getExternalStorageDirectory\( times out. - > Oh no! The checker timed out

How to fix the problem?

Related issues

What is the problem?

The old check function is synchronous, but the current check function has been asynchronous since 4.0.0.
To implement the ESLint plugin, we should support the synchronous version of check, which is named checkSync.

How to fix the problem?

I'm considering how to implement checkSync.
Node.js has spawnSync, so we can implement it by spawning recheck CLI.
However, it may be slow when it spawns a new process on each checking, and it is hard to keep the implementation simple if it supports async/sync implementation in the same code base.

For now, implementing it by using Scala.js build looks better to me. It is simple and fast enough.

Related issues

• #148

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: The renovate configuration file contains some invalid settings
Message: Invalid configuration option: regexManagers[0].depName, Regex Manager contains disallowed fields: depName, depType, Regex Manager contains disallowed fields: depType, Regex Manager contains disallowed fields: depType

What is the problem?

native-build job is slow and flaky, so we run it only on release.

How to fix the problem?

Update .github/workflows/main.yaml.

What is the problem?

Having this regex in a file takes several seconds when running ESLint using "plugin:redos/recommended".

const re = /cert\.pem: (-----BEGIN CERTIFICATE-----[\S\n]+-----END CERTIFICATE-----)/

I assume this is since in ESLint you have to use checkSync()? Is there any way to speed this up?

The main problem is that e.g. in editors like VS Code where most have ESLint run on save (or even when writing code), having something take seconds is not managable as it halts DX experience completely.

What is the problem?

Currently recheck NPM package is written in usual JavaScript without statically type checking.

Static type checking is an important method to reduce bugs in a project.
We want to adopt this, and TypeScript is the best tool for type checking in JavaScript today.

How to fix the problem?

Three steps.

1. Rewrite the package source code in TypeScript.
2. Fix esbuild settings to transpile TypeScript.
3. Add a type checking workflow job.

What is the problem?

native-build job is flaky. Sometimes, builds are failed:

• https://github.com/MakeNowJust-Labo/recheck/runs/4415464435
• https://github.com/MakeNowJust-Labo/recheck/runs/4415464435

I'm not sure why it is caused, however many builds are succeeded, so it is needed to retry native-build job.

How to fix the problem?

We can use nick-invision/retry action for retrying a job.