Known bad worst-case regular expression instances

[ericcornelissen]

Performance

Package	Version
language-html	^0.1.23

Description

There are known instances of regular expressions with bad (exponential) worst-case performance in the WebMangler code base. These don't apply to normal inputs - regular code snippets - and so are not considered a bug or security issue but rather a performance issue that would ideally be fixed.

⚠️ Anyone using WebMangler on untrusted input should consider this a security issue and take necessary precautions to prevent ReDoS attacks.

This issue is intended to track known bad (parts of) regular expressions so they can be addressed individually/in groups.

Participating

If you find an instance of a regular expression that has a bad worst-case performance feel free to leave a comment and it'll be added to the list.

If you know how to fix one/a group of these, feel free to open a Pull Request with a fix. Try to clearly communicate which instances in this issue are addressed by your fix. If possible, add or update performance tests to prevent re-introduction of the worst-case regular expression in the future.

Overview

language-html

• style-tag.ts:L8: Exponential backtracking on strings starting with "'<script>;</script'" followed by many repetitions of "" or ''.
• script-tag.ts:L8: Exponential backtracking on strings starting with "'<style>;</style'" followed by many repetitions of "" or ''.

Related

• Write re-used regular expressions as literals (rather than strings) #354
• Lint for inefficient regular expressions #398
• Use eslint-plugin-regexp to lint for potentially poor performance regular expression #405