Passing a variable to RegExp()
while creating a regular expression object might lead to a denial of service attack. To avoid this, pass a literal value.
1var express = require('express')
2var app = express()
3function nonLiteralRegularExpressionNoncompliant() {
4 app.get("www.example.com", (req, res) => {
5 var re = new RegExp('ab+c')
6 // Noncompliant: user-controlled data passes into `test` for regex patterns.
7 var test = re.test(req.body.id)
8 })
9}
1var express = require('express')
2var escapeStringRegexp = require('escape-string-regexp')
3var app = express()
4function nonLiteralRegularExpressionCompliant() {
5 app.get("www.example.com", (req, res) => {
6 var re = new RegExp('ab+c')
7 // Compliant: sanitized user-controlled data passes into `test` for regex patterns.
8 var test = re.test(escapeStringRegexp(req.body.id))
9 })
10}