AWS logo
Amazon CodeGuruDetector Library

Non-literal regular expression High

Passing a variable to RegExp() while creating a regular expression object might lead to a denial of service attack. To avoid this, pass a literal value.

Detector ID
javascript/non-literal-regular-expression@v1.0
Category
Common Weakness Enumeration (CWE) external icon
Tags
-

Noncompliant example

1var express = require('express')
2var app = express()
3function nonLiteralRegularExpressionNoncompliant() {
4    app.get("www.example.com", (req, res) => {
5        var re = new RegExp('ab+c')
6        // Noncompliant: user-controlled data passes into `test` for regex patterns.
7        var test = re.test(req.body.id)
8    })
9}

Compliant example

1var express = require('express')
2var escapeStringRegexp = require('escape-string-regexp')
3var app = express()
4function nonLiteralRegularExpressionCompliant() {
5    app.get("www.example.com", (req, res) => {
6        var re = new RegExp('ab+c')
7        // Compliant: sanitized user-controlled data passes into `test` for regex patterns.
8        var test = re.test(escapeStringRegexp(req.body.id))
9    })
10}