recheck

A vulnerable RegExp (ReDoS) checker.

Hybrid

Choose either automaton theory based algorithm or fuzzing depending on the RegExp. It is fast, strict and state-of-the-art algorithm to detect ReDoS vulnerability.

JavaScript & Scala

Support JavaScript (ECMA-262) RegExp. This is written in Scala, and compiled into JavaScript powered by Scala.js. We can use this from both Scala and JavaScript.

Getting Started

JavaScript

Uses the following command to install this library:

$ npm install @makenowjust-labo/recheck

This library exports only an API called check. It takes a RegExp pattern source and flags, and returns the analysis result.

const { check } = require("@makenowjust-labo/recheck");

console.log(check("^(a|a)*$", ""));
// {
//   status: 'vulnerable',
//   checker: 'automaton',
//   attack: {
//     pumps: [ { prefix: 'a', pump: 'a', bias: 0 } ],
//     suffix: '\x00',
//     base: 17,
//     string: 'aaaaaaaaaaaaaaaaaa\x00',
//     pattern: "'a' 'a'¹⁷ '\\x00'"
//   },
//   complexity: { type: 'exponential', summary: 'exponential', isFuzz: false }
// }

See the detailed information.

Scala

Adds the following line into your build.sbt:

libraryDependencies += "codes.quine.labo" %% "recheck" % "3.1.0"

ReDoS object is a frontend of this library. You can use ReDoS.check method to analyze RegExp pattern.

import codes.quine.labo.recheck.ReDoS

println(ReDoS.check("^(a|a)*$", ""))
// Input        : /^(a|a)*$/
// Status       : vulnerable
// Complexity   : exponential
// Attack string: 'a' 'a'¹⁷ '\x00'
// Hotspot      : /^(a|a)*$/
// Checker      : automaton

License

MIT License.