Gathering detailed insights and metrics for @wemnyelezxnpm/enim-omnis-similique
Gathering detailed insights and metrics for @wemnyelezxnpm/enim-omnis-similique
Installations
npm install @wemnyelezxnpm/enim-omnis-similiqueDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
20.12.2
NPM Version
10.5.0
Languages
1
JavaScript
JavaScript (100%)
Developer
wemnyelezxnpm
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
3 Commits
1 Branches
Updated on Apr 27, 2024
Maintainers
1
Package Meta Information
Latest Version
1.0.0
Package Id
@wemnyelezxnpm/enim-omnis-similique@1.0.0
Unpacked Size
14.47 kB
Size
6.08 kB
File Count
10
NPM Version
10.5.0
Node Version
20.12.2
Published on
Apr 27, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
33
@crabas0npm/enim-animi-iure@ffras4vnpm/iste-soluta-repellendus@ffras4vnpm/ullam-odio-aspernatur@wemnyelezxnpm/a-illo-eos-qui@wemnyelezxnpm/aliquam-accusantium-porro-voluptates@wemnyelezxnpm/architecto-eligendi-ex-unde@wemnyelezxnpm/autem-est-molestias-numquam@wemnyelezxnpm/consectetur-eligendi-mollitia-enim@wemnyelezxnpm/consequatur-vel-distinctio-quia@wemnyelezxnpm/corrupti-voluptatem-pariatur-assumenda@wemnyelezxnpm/cum-assumenda-et-ad@wemnyelezxnpm/dolor-deserunt-reprehenderit-sunt@wemnyelezxnpm/esse-saepe-vero-excepturi@wemnyelezxnpm/ex-laudantium-dignissimos-nesciunt@wemnyelezxnpm/excepturi-odit-culpa-magnam@wemnyelezxnpm/facilis-velit-quam-ducimus@wemnyelezxnpm/illo-possimus-quas-ipsa@wemnyelezxnpm/illum-possimus-officiis-eius@wemnyelezxnpm/inventore-totam-iste-pariatur@wemnyelezxnpm/nam-sequi-vitae-eveniet@wemnyelezxnpm/nam-suscipit-commodi-nam@wemnyelezxnpm/odit-placeat-delectus-iure@wemnyelezxnpm/officiis-nesciunt-quisquam-delectus@wemnyelezxnpm/quas-quo-aperiam-quasi@wemnyelezxnpm/quis-consectetur-nisi-dicta@wemnyelezxnpm/quo-alias-sapiente-eveniet@wemnyelezxnpm/sit-ad-nesciunt-possimus@wemnyelezxnpm/temporibus-fugiat-ipsum-veniam@wemnyelezxnpm/temporibus-non-reiciendis-fuga@wemnyelezxnpm/tenetur-architecto-laborum-hic@wemnyelezxnpm/vel-nemo-fuga-veritatis@wemnyelezxnpm/vero-tempore-impedit-reiciendis@wemnyelezxnpm/voluptas-dolorem-earum-corporis
@wemnyelezxnpm/enim-omnis-similique
Why?
You want to let end users enter their own regular expressions. But regular expressions can lead to catastrophic backtracking. This can take up hours of CPU time. In Node.js this means no other code can execute. It is a Denial of Service (DOS) attack vector, whether intentionally or by accident.
This module lets you test regular expressions with a time limit to mitigate the pain.
Usage
1// Set a 1-second limit. Default is 0.25 seconds 2const regExp = require('@wemnyelezxnpm/enim-omnis-similique')({ limit: 1 }); 3 4// A common email address validator with potentially evil characteristics 5// (catastrophic backtracking) 6const evil = /^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; 7 8(async () => { 9 // Run a potentially slow regular expression on short, matching input 10 const realEmail = 'test@test.com'; 11 const realEmailResult = await regExp.match(evil, realEmail); 12 // Normal behavior, may be truthy or falsy according to match, 13 // returns the same array result as regular regexp match() calls 14 console.log(realEmailResult); 15 // This input is long enough to trigger catastrophic backtracking and 16 // could take hours to evaluate 17 const evilEmail = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'; 18 try { 19 const evilEmailResult = await regExp.match(evil, evilEmail); 20 // We will not get here, exception will be thrown 21 } catch (e) { 22 console.log(e.name); // Will be 'timeout' 23 } 24})();
Notes
"Why is match an async function?" It runs in a separate process because that is the only way to avoid starving the Node.js application and implement a portable timeout on the regular expression.
"How bad is the performance overhead?" Communication with a separate worker process makes it slower of course, but the process is reused by later calls, so the hit is not serious.
Flags, for instance the g flag, are supported.
You can pass the regular expression as a string, but regular expression literals (what you are used to typing) are easier to get right because you don't have to double-escape anything.
No vulnerabilities found.
No security vulnerabilities found.