{"_id":"safe-regex","_rev":"9797","name":"safe-regex","description":"detect possibly catastrophic, exponential-time regular expressions","dist-tags":{"latest":"2.1.1"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"time":{"modified":"2021-06-03T09:57:39.000Z","created":"2013-07-13T02:56:02.406Z","2.1.1":"2019-10-21T19:45:01.945Z","2.1.0":"2019-10-21T19:42:27.934Z","2.0.2":"2019-02-25T20:17:25.012Z","2.0.1":"2018-11-02T15:34:25.412Z","2.0.0":"2018-10-26T17:59:46.642Z","1.1.0":"2015-03-19T00:30:21.780Z","1.0.0":"2015-02-06T16:36:31.893Z","0.0.1":"2013-11-22T08:44:01.232Z","0.0.0":"2013-07-13T02:56:02.406Z"},"users":{"julien-f":true,"cilindrox":true,"davidcai":true,"openam":true,"stretchgz":true,"csbun":true,"kobleistvan":true,"disqus":true,"scottfreecode":true,"lonjoy":true,"anchnk":true,"hibrahimsafak":true,"kikar":true,"joseph320":true,"raydog":true,"vishwasc":true,"dpjayasekara":true,"ngpvnk":true,"tkalfigo":true,"donecharlton":true},"author":{"name":"James C.","email":"davisjam@vt.edu","url":"Jamie"},"repository":{"type":"git","url":"git://github.com/davisjam/safe-regex.git"},"versions":{"2.1.1":{"name":"safe-regex","version":"2.1.1","description":"detect possibly catastrophic, exponential-time regular expressions","main":"index.js","dependencies":{"regexp-tree":"~0.1.1"},"devDependencies":{"jest":"^24.9.0"},"scripts":{"test":"jest"},"jest":{"moduleFileExtensions":["js"],"testRegex":"test.*\\.spec\\.js$","collectCoverage":true,"coverageReporters":["text-summary","html","lcov"],"collectCoverageFrom":["*.js"],"coverageThreshold":{"global":{"statements":100,"branches":100,"functions":100,"lines":100}}},"repository":{"type":"git","url":"git://github.com/davisjam/safe-regex.git"},"homepage":"https://github.com/davisjam/safe-regex","keywords":["catastrophic","exponential","regex","safe","sandbox"],"author":{"name":"James C.","email":"davisjam@vt.edu","url":"Jamie"},"license":"MIT","gitHead":"9070d9459dac17e281d06e50110fec2cb40cfc67","bugs":{"url":"https://github.com/davisjam/safe-regex/issues"},"_id":"safe-regex@2.1.1","_nodeVersion":"12.10.0","_npmVersion":"6.10.3","dist":{"shasum":"f7128f00d056e2fe5c11e81a1324dd974aadced2","size":6482,"noattachment":false,"key":"/safe-regex/-/safe-regex-2.1.1.tgz","tarball":"http://registry.cnpm.dingdandao.com/safe-regex/download/safe-regex-2.1.1.tgz"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"_npmUser":{"name":"davisjam","email":"davisjam@vt.edu"},"directories":{},"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/safe-regex_2.1.1_1571687101795_0.5043143354036861"},"_hasShrinkwrap":false,"publish_time":1571687101945,"_cnpm_publish_time":1571687101945},"2.1.0":{"name":"safe-regex","version":"2.1.0","description":"detect possibly catastrophic, exponential-time regular expressions","main":"index.js","dependencies":{"regexp-tree":"~0.1.1"},"devDependencies":{"jest":"^24.9.0"},"scripts":{"test":"jest"},"jest":{"moduleFileExtensions":["js"],"testRegex":"test.*\\.spec\\.js$","collectCoverage":true,"coverageReporters":["text-summary","html","lcov"],"collectCoverageFrom":["*.js"],"coverageThreshold":{"global":{"statements":100,"branches":100,"functions":100,"lines":100}}},"repository":{"type":"git","url":"git://github.com/davisjam/safe-regex.git"},"homepage":"https://github.com/davisjam/safe-regex","keywords":["catastrophic","exponential","regex","safe","sandbox"],"author":{"name":"James C.","email":"davisjam@vt.edu","url":"Jamie"},"license":"MIT","gitHead":"329afeae8e8acae78dd86d104ea758533895219f","bugs":{"url":"https://github.com/davisjam/safe-regex/issues"},"_id":"safe-regex@2.1.0","_nodeVersion":"12.10.0","_npmVersion":"6.10.3","dist":{"shasum":"3c8c4481278b21d030f6272b8c663de6776130ac","size":5794,"noattachment":false,"key":"/safe-regex/-/safe-regex-2.1.0.tgz","tarball":"http://registry.cnpm.dingdandao.com/safe-regex/download/safe-regex-2.1.0.tgz"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"_npmUser":{"name":"davisjam","email":"davisjam@vt.edu"},"directories":{},"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/safe-regex_2.1.0_1571686947761_0.11552026867530052"},"_hasShrinkwrap":false,"publish_time":1571686947934,"_cnpm_publish_time":1571686947934},"2.0.2":{"name":"safe-regex","version":"2.0.2","description":"detect possibly catastrophic, exponential-time regular expressions","main":"index.js","dependencies":{"regexp-tree":"~0.1.1"},"devDependencies":{"tape":"^4.10.1"},"scripts":{"test":"tape test/*.js"},"testling":{"files":"test/*.js","browsers":["ie/8","ie/9","ie/10","firefox/latest","chrome/latest","opera/latest","safari/latest"]},"repository":{"type":"git","url":"git://github.com/davisjam/safe-regex.git"},"homepage":"https://github.com/davisjam/safe-regex","keywords":["catastrophic","exponential","regex","safe","sandbox"],"author":{"name":"James C.","email":"davisjam@vt.edu","url":"Jamie"},"license":"MIT","gitHead":"132c9b9d9efbf0ba5a85bfcd1b2bbd365d95b1b1","bugs":{"url":"https://github.com/davisjam/safe-regex/issues"},"_id":"safe-regex@2.0.2","_npmVersion":"6.2.0","_nodeVersion":"10.9.0","_npmUser":{"name":"davisjam","email":"davisjam@vt.edu"},"dist":{"shasum":"3601b28d3aefe4b963d42f6c2cdb241265cbd63c","size":3206,"noattachment":false,"key":"/safe-regex/-/safe-regex-2.0.2.tgz","tarball":"http://registry.cnpm.dingdandao.com/safe-regex/download/safe-regex-2.0.2.tgz"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"directories":{},"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/safe-regex_2.0.2_1551125844844_0.438144546598763"},"_hasShrinkwrap":false,"publish_time":1551125845012,"_cnpm_publish_time":1551125845012},"2.0.1":{"name":"safe-regex","version":"2.0.1","description":"detect possibly catastrophic, exponential-time regular expressions","main":"index.js","dependencies":{"regexp-tree":"~0.0.85"},"devDependencies":{"tape":"^3.5.0"},"scripts":{"test":"tape test/*.js"},"testling":{"files":"test/*.js","browsers":["ie/8","ie/9","ie/10","firefox/latest","chrome/latest","opera/latest","safari/latest"]},"repository":{"type":"git","url":"git://github.com/davisjam/safe-regex.git"},"homepage":"https://github.com/davisjam/safe-regex","keywords":["catastrophic","exponential","regex","safe","sandbox"],"author":{"name":"James C.","email":"davisjam@vt.edu","url":"Jamie"},"license":"MIT","gitHead":"db1568fee2072aa532919b0899490b4a4492efd4","bugs":{"url":"https://github.com/davisjam/safe-regex/issues"},"_id":"safe-regex@2.0.1","_npmVersion":"6.2.0","_nodeVersion":"10.9.0","_npmUser":{"name":"davisjam","email":"davisjam@vt.edu"},"dist":{"shasum":"676c791d97f31fadb8958d64300f7760606fa0a1","size":3144,"noattachment":false,"key":"/safe-regex/-/safe-regex-2.0.1.tgz","tarball":"http://registry.cnpm.dingdandao.com/safe-regex/download/safe-regex-2.0.1.tgz"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"directories":{},"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/safe-regex_2.0.1_1541172865225_0.8604165785745475"},"_hasShrinkwrap":false,"publish_time":1541172865412,"_cnpm_publish_time":1541172865412},"2.0.0":{"name":"safe-regex","version":"2.0.0","description":"detect possibly catastrophic, exponential-time regular expressions","main":"index.js","dependencies":{"regexp-tree":"~0.0.85"},"devDependencies":{"tape":"^3.5.0"},"scripts":{"test":"tape test/*.js"},"testling":{"files":"test/*.js","browsers":["ie/8","ie/9","ie/10","firefox/latest","chrome/latest","opera/latest","safari/latest"]},"repository":{"type":"git","url":"git://github.com/davisjam/safe-regex.git"},"homepage":"https://github.com/davisjam/safe-regex","keywords":["catastrophic","exponential","regex","safe","sandbox"],"author":{"name":"James C.","email":"davisjam@vt.edu","url":"Jamie"},"license":"MIT","gitHead":"cd95cff13de26a3065a97eeb90dba360a95790d8","bugs":{"url":"https://github.com/davisjam/safe-regex/issues"},"_id":"safe-regex@2.0.0","_npmVersion":"5.5.1","_nodeVersion":"8.2.1","_npmUser":{"name":"davisjam","email":"davisjam@vt.edu"},"dist":{"shasum":"1c021d0d55ee116bf6caeeb1d7d0a388509f7112","size":3131,"noattachment":false,"key":"/safe-regex/-/safe-regex-2.0.0.tgz","tarball":"http://registry.cnpm.dingdandao.com/safe-regex/download/safe-regex-2.0.0.tgz"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"directories":{},"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/safe-regex_2.0.0_1540576786474_0.40345973051344486"},"_hasShrinkwrap":false,"publish_time":1540576786642,"_cnpm_publish_time":1540576786642},"1.1.0":{"name":"safe-regex","version":"1.1.0","description":"detect possibly catastrophic, exponential-time regular expressions","main":"index.js","dependencies":{"ret":"~0.1.10"},"devDependencies":{"tape":"^3.5.0"},"scripts":{"test":"tape test/*.js"},"testling":{"files":"test/*.js","browsers":["ie/8","ie/9","ie/10","firefox/latest","chrome/latest","opera/latest","safari/latest"]},"repository":{"type":"git","url":"git://github.com/substack/safe-regex.git"},"homepage":"https://github.com/substack/safe-regex","keywords":["catastrophic","exponential","regex","safe","sandbox"],"author":{"name":"James Halliday","email":"mail@substack.net","url":"http://substack.net"},"license":"MIT","gitHead":"d2570f31bd9d779515015917bb8297c753e46572","bugs":{"url":"https://github.com/substack/safe-regex/issues"},"_id":"safe-regex@1.1.0","_shasum":"40a3669f3b077d1e943d44629e157dd48023bf2e","_from":".","_npmVersion":"2.3.0","_nodeVersion":"0.12.0","_npmUser":{"name":"substack","email":"mail@substack.net"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"dist":{"shasum":"40a3669f3b077d1e943d44629e157dd48023bf2e","size":2878,"noattachment":false,"key":"/safe-regex/-/safe-regex-1.1.0.tgz","tarball":"http://registry.cnpm.dingdandao.com/safe-regex/download/safe-regex-1.1.0.tgz"},"directories":{},"publish_time":1426725021780,"_cnpm_publish_time":1426725021780,"_hasShrinkwrap":false},"1.0.0":{"name":"safe-regex","version":"1.0.0","description":"detect possibly catastrophic, exponential-time regular expressions","main":"index.js","dependencies":{"ret":"~0.1.10"},"devDependencies":{"tape":"^3.5.0"},"scripts":{"test":"tape test/*.js"},"testling":{"files":"test/*.js","browsers":["ie/8","ie/9","ie/10","firefox/latest","chrome/latest","opera/latest","safari/latest"]},"repository":{"type":"git","url":"git://github.com/substack/safe-regex.git"},"homepage":"https://github.com/substack/safe-regex","keywords":["catastrophic","exponential","regex","safe","sandbox"],"author":{"name":"James Halliday","email":"mail@substack.net","url":"http://substack.net"},"license":"MIT","gitHead":"4ffa3f1b0ffe993ecaee97a622fb17469db2c2c6","bugs":{"url":"https://github.com/substack/safe-regex/issues"},"_id":"safe-regex@1.0.0","_shasum":"2a88b57eb36396bb4c69218a3acd3334c5570123","_from":".","_npmVersion":"2.3.0","_nodeVersion":"0.10.35","_npmUser":{"name":"substack","email":"mail@substack.net"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"dist":{"shasum":"2a88b57eb36396bb4c69218a3acd3334c5570123","size":2721,"noattachment":false,"key":"/safe-regex/-/safe-regex-1.0.0.tgz","tarball":"http://registry.cnpm.dingdandao.com/safe-regex/download/safe-regex-1.0.0.tgz"},"directories":{},"publish_time":1423240591893,"_cnpm_publish_time":1423240591893,"_hasShrinkwrap":false},"0.0.1":{"name":"safe-regex","version":"0.0.1","description":"detect possibly catastrophic, exponential-time regular expressions","main":"index.js","dependencies":{"ret":"~0.1.6"},"devDependencies":{"tape":"~1.0.4"},"scripts":{"test":"tape test/*.js"},"testling":{"files":"test/*.js","browsers":["ie/8","ie/9","ie/10","firefox/latest","chrome/latest","opera/latest","safari/latest"]},"repository":{"type":"git","url":"git://github.com/substack/safe-regex.git"},"homepage":"https://github.com/substack/safe-regex","keywords":["catastrophic","exponential","regex","safe","sandbox"],"author":{"name":"James Halliday","email":"mail@substack.net","url":"http://substack.net"},"license":"MIT","readmeFilename":"readme.markdown","bugs":{"url":"https://github.com/substack/safe-regex/issues"},"_id":"safe-regex@0.0.1","dist":{"shasum":"350ae32b49b7dc75d1cac3a18cb8b375a94ef15c","size":2624,"noattachment":false,"key":"/safe-regex/-/safe-regex-0.0.1.tgz","tarball":"http://registry.cnpm.dingdandao.com/safe-regex/download/safe-regex-0.0.1.tgz"},"_from":".","_npmVersion":"1.3.14","_npmUser":{"name":"substack","email":"mail@substack.net"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"directories":{},"publish_time":1385109841232,"_cnpm_publish_time":1385109841232,"_hasShrinkwrap":false},"0.0.0":{"name":"safe-regex","version":"0.0.0","description":"detect possibly catastrophic, exponential-time regular expressions","main":"index.js","dependencies":{"ret":"~0.1.6"},"devDependencies":{"tape":"~1.0.4"},"scripts":{"test":"tape test/*.js"},"testling":{"files":"test/*.js","browsers":["ie/8","ie/9","ie/10","firefox/latest","chrome/latest","opera/latest","safari/latest"]},"repository":{"type":"git","url":"git://github.com/substack/safe-regex.git"},"homepage":"https://github.com/substack/safe-regex","keywords":["catastrophic","exponential","regex","safe","sandbox"],"author":{"name":"James Halliday","email":"mail@substack.net","url":"http://substack.net"},"license":"MIT","readmeFilename":"readme.markdown","bugs":{"url":"https://github.com/substack/safe-regex/issues"},"_id":"safe-regex@0.0.0","dist":{"shasum":"9a9ae1f35a6ea8047b6ea6ecf9c05143e1efc3ab","size":2564,"noattachment":false,"key":"/safe-regex/-/safe-regex-0.0.0.tgz","tarball":"http://registry.cnpm.dingdandao.com/safe-regex/download/safe-regex-0.0.0.tgz"},"_from":".","_npmVersion":"1.3.0","_npmUser":{"name":"substack","email":"mail@substack.net"},"maintainers":[{"name":"davisjam","email":"davisjam@vt.edu"}],"directories":{},"publish_time":1373684162406,"_cnpm_publish_time":1373684162406,"_hasShrinkwrap":false}},"readme":"# safe-regex\n\nDetect potentially\n[catastrophic](http://regular-expressions.mobi/catastrophic.html)\n[exponential-time](http://perlgeek.de/blog-en/perl-tips/in-search-of-an-exponetial-regexp.html)\nregular expressions by limiting the\n[star height](https://en.wikipedia.org/wiki/Star_height) to 1.\n\nWARNING: This module has both false positives and false negatives.\nUse [vuln-regex-detector](https://github.com/davisjam/vuln-regex-detector) for improved accuracy.\n\n[![Build Status](https://travis-ci.org/davisjam/safe-regex.svg?branch=master)](https://travis-ci.org/davisjam/safe-regex)\n\n## Example\n\nSuppose you have a script named `safe.js`:\n\n``` js\nvar safe = require('safe-regex');\nvar regex = process.argv.slice(2).join(' ');\nconsole.log(safe(regex));\n```\n\nThis is its behavior:\n\n```\n$ node safe.js '(x+x+)+y'\nfalse\n$ node safe.js '(beep|boop)*'\ntrue\n$ node safe.js '(a+){10}'\nfalse\n$ node safe.js '\\blocation\\s*:[^:\\n]+\\b(Oakland|San Francisco)\\b'\ntrue\n```\n\n## Methods\n\n``` js\nconst safe = require('safe-regex')\n```\n\n### const ok = safe(re, opts={})\n\nReturn a boolean `ok` whether or not the regex `re` is safe and not possibly\ncatastrophic.\n\n`re` can be a `RegExp` object or just a string.\n\nIf the `re` is a string and is an invalid regex, returns `false`.\n\n* `opts.limit` - maximum number of allowed repetitions in the entire regex.\nDefault: `25`.\n\n## Install\n\nWith [npm](https://npmjs.org) do:\n\n```\nnpm install safe-regex\n```\n\n## Resources\n\n### What should I do if my project has a super-linear regex?\n\n1. Confirm that it is *reachable* by untrusted input.\n2. If it is, you can consider whether you can prevent worst-case behavior by trimming the input, revising the regex, or replacing the regex with another algorithm like string functions. For examples, see Table 5 in [this article](http://people.cs.vt.edu/davisjam/downloads/publications/DavisCoghlanServantLee-EcosystemREDOS-ESECFSE18.pdf).\n3. If none of those solutions looks feasible, you might also consider changing regex engines. The [RE2 bindings](https://www.npmjs.com/package/re2) might work, though test carefully to confirm there are no [semantic portability problems](https://medium.com/@davisjam/why-arent-regexes-a-lingua-franca-esecfse19-a36348df3a2?source=friends_link&sk=d21be7f8f723e2080dc993385c6973d1).\n\n### Further reading\n\nThe following documents may be edifying:\n\n- [Research brief on the extent of super-linear regexes in practice](https://medium.com/@davisjam/introduction-987fdc4c7b0?source=friends_link&sk=ceefa4a4ca9617e08ab782c3b1580aea)\n- [Research brief on the variability of super-linear regex behavior across programming languages](https://medium.com/@davisjam/why-arent-regexes-a-lingua-franca-esecfse19-a36348df3a2?source=friends_link&sk=d21be7f8f723e2080dc993385c6973d1)\n- [Comparing regex matching algorithms](https://swtch.com/~rsc/regexp/regexp1.html)\n\n## Project policies\n\n### Versioning\n\nThis project follows [Semantic Versioning 2.0 (semver)](https://semver.org/).\n\nHere are the project-specific meanings of MAJOR, MINOR, and PATCH updates:\n\n- MAJOR: \"Incompatible\" API changes were introduced. There are two types in this module:\n  - Changes that modify the interface\n  - Changes that cause any regexes to be marked as unsafe that were formerly marked as safe\n- MINOR: Functionality was added in a backwards-compatible manner. There are two types in this module:\n  - Refactoring the analyses but not changing their results\n  - Modifying the analyses to reduce false positives, without affecting negatives (false or true)\n- PATCH: I don't anticipate using PATCH for this module\n\n### License\n\n[MIT](https://github.com/davisjam/safe-regex/blob/master/LICENSE)","_attachments":{},"homepage":"https://github.com/davisjam/safe-regex","bugs":{"url":"https://github.com/davisjam/safe-regex/issues"},"license":"MIT"}