Ensure regular expression is performant and secure

Question

I crafted two regular expressions that successfully parse the strings I desire parsed. However, when running the code that includes the regular expressions against Sonar Cloud (quality and security check), I get a warning about performance and security.

Here are the regular expressions I crafted (note the · and - characters):

// yearToYearWithIrrWAndDotRegex parses: · 1998 - 2001, · 2001 - Present
const yearToYearWithIrrWAndDotRegex = /·.*?(19|20)\d{2}.*?-.*?((19|20)\d{2}|Present)?/g;

// yearToYearRegex parses: 1998 - 2001, 2001 - Present
const yearToYearRegex = /(19|20)\d{2}.*?-.*?((19|20)\d{2}|Present)/g;

The Sonar Cloud warning:

Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as (a+)+s will take several seconds to evaluate the input string aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs. The problem is that with every additional a character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular expression, a+s (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.

TLDR: Is there any way to make my RegEx better?

How are you using the regular expression, e.g. test, match, exec…? — RobG, May 19 '20 at 14:02
Or, 1) `· \d\d\d\d - \d\d\d\d, · \d\d\d\d - Present`, 2) `\d\d\d\d - \d\d\d\d, \d\d\d\d - Present`. Not sure if you can replace the first `\d\d` with `(19|20)`, try — Wiktor Stribiżew, May 19 '20 at 14:23

score 0 · Answer 1 · answered May 19 '20 at 14:10

That looks like a generic security warning - the scanner probably saw that you were using a Regex and dropped a standard text blob in its report. This sort of thing is pretty standard in dynamic or static scanners, in many cases they can't tell for sure if what was done is vulnerable or not, so they error on the side of caution.

From a security angle, you generally need to consider where the input data is coming from. If you're parsing a fixed format file provided by another business your risk is less than if you're parsing user input in a public website. Parsing an uploaded file is riskier because more input data results in more processing time.

Your regex looks pretty simple to me - you're not using positive or negative lookarounds or doing anything tricky. You could replace your .*? with \s+ if whitespace matching will work against your input.

Ensure regular expression is performant and secure

1 Answers1