I'm new to frontend programming. I'm charged to check vulnerabilities on an app. I'm using Snyk which point out this portion of code as code security vulnerability:
const re = new RegExp('(' + query.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&') + ')', 'ig');
Where we are creating a regular expression. Here is snyk's message:
I tried to apply _.escapeRegExp by it didn't solve the problem
Can anyone help with this please?
Correcting Snyk vulnérabilities.
The regular expression in the code you provided is susceptible to a ReDOS vulnerability because it contains a potentially exponential matching pattern. This could cause the regular expression engine to enter into a state of catastrophic backtracking when processing certain inputs, leading to denial of service attacks.
To fix the vulnerability, you can limit the maximum length of the input string that the regular expression engine will process. One way to do this is to use a non-capturing group with a bounded repetition operator, like this:
const MAX_QUERY_LENGTH = 1000; // set a reasonable upper limit on query length
const escapedQuery = query.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&');
const re = new RegExp('(?:' + escapedQuery + '){1,' + MAX_QUERY_LENGTH + '}', 'ig');
This limits the maximum length of the matched input to MAX_QUERY_LENGTH, which you can set to a value appropriate for your application.
Note that this is just one possible approach to fixing the vulnerability. Depending on the specifics of your application, there may be other solutions that are more appropriate.
The Snyk Learn platform also has a ReDos lesson: https://learn.snyk.io/lessons/redos/javascript/