no-unsafe-regex-construction

Keywords: no unsafe regex construction, security, ESLint rule, JavaScript, TypeScript, CWE-400, CWE-185, ReDoS, injection

ESLint Rule: no-unsafe-regex-construction with LLM-optimized suggestions and auto-fix capabilities. This rule is part of eslint-plugin-secure-coding.

Quick Summary

Vulnerability and Risk

Vulnerability: Constructing regular expressions from untrusted or unvalidated user input.

Risk: Attackers can inject malicious regex patterns (Regex Injection) or complex patterns that cause excessive backtracking (ReDoS), leading to Denial of Service. They might also alter the logic of the regex to bypass validations (e.g., changing a match standard to match anything).

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-400 OWASP:A06 CVSS:7.5 | Uncontrolled Resource Consumption (ReDoS) detected | HIGH
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A06_2021/

Message Components

Rule Details

This rule detects the creation of RegExp objects using user-controlled input. Constructing a regular expression from untrusted input is dangerous because it leads to:

1. ReDoS (Regular Expression Denial of Service): An attacker can provide a pattern that causes catastrophic backtracking (e.g., (a+)+).
2. Logic Errors: An attacker can inject special characters (like *, +, |) to alter the matching behavior in unintended ways.

Why This Matters

Configuration

This rule accepts an options object:

{
  "rules": {
    "secure-coding/no-unsafe-regex-construction": ["error", {
      "allowLiterals": false,           // Default: false. Allow new RegExp("fixed-string").
      "trustedEscapingFunctions": ["escapeRegex", "escape", "sanitize"], // Default list of safe functions.
      "maxPatternLength": 100           // Default: 100. Limit the length of dynamic patterns.
    }]
  }
}

Examples

❌ Incorrect

// Direct user input usage
const pattern = new RegExp(req.query.search);

// Template literal with user input
const pattern2 = new RegExp(`^${userPrefix}`);

// Passing variables without sanitization
function search(term) {
  return new RegExp(term, 'i');
}

✅ Correct

import escapeStringRegexp from 'escape-string-regexp';

// Escaping input first
const safePattern = new RegExp(escapeStringRegexp(req.query.search));

// Fixed strings (if allowLiterals: true)
const fixed = new RegExp('^[a-z]+$');

// RegExp literal (always preferred if pattern is static)
const literal = /^[a-z]+$/;

LLM-Based Suggestions

The rule provides guidance on how to fix detected patterns:

• "Escape User Input": Suggests using a library like escape-string-regexp to neutralize special characters.
• "Use Literal": Suggests converting new RegExp("constant") to /constant/ if possible.

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Values from Variables

Why: Values stored in variables are not traced.

// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);

Mitigation: Validate all user inputs.

Wrapper Functions

Why: Custom wrappers not recognized.

// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internally

Mitigation: Apply rule to wrapper implementations.

Dynamic Invocation

Why: Dynamic calls not analyzed.

// ❌ NOT DETECTED - Dynamic
obj[method](userInput);

Mitigation: Avoid dynamic method invocation.

Further Reading

• OWASP: Regular Expression Denial of Service
• MDN: RegExp
• NPM: escape-string-regexp