Skip to content

Commit c3e203c

Browse files
efebarlasepoberezkin
efebarlas
and
epoberezkin
authoredDec 15, 2021
Update ReDoS section of security.md to accommodate #1683 (#1828)
* Update ReDoS section of security.md * Update docs/security.md * Update docs/security.md * Update docs/security.md Co-authored-by: Evgeny Poberezkin <2769109+epoberezkin@users.noreply.github.com>
·
v8.17.1v8.9.0
1 parent 43ed019 commit c3e203c

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed
 

‎docs/security.md

+20
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,26 @@ Certain regular expressions can lead to the exponential evaluation time even wit
6565

6666
Please assess the regular expressions you use in the schemas on their vulnerability to this attack - see [safe-regex](https://github.com/substack/safe-regex), for example.
6767

68+
By default, Ajv uses the regex engine built into Node.js. This engine has exponential worst-case performance. This performance (and ReDoS attacks) can be mitigated by using a linear-time regex engine. Ajv supports the use of a third-party regex engine for this purpose.
69+
70+
To use a third-party regex engine in Ajv, set the ajv.opts.code.regExp property to that regex engine during instantiation. Here we use Google’s RE2 engine as an example.
71+
72+
```
73+
const Ajv = require("ajv")
74+
const RE2 = require("re2")
75+
const ajv = new Ajv({regExp: RE2})
76+
```
77+
78+
For details about the interface of the `regexp` option, see options.md under the docs folder.
79+
80+
Although linear-time regex engines eliminate ReDoS vulnerabilities, changing a regex engine carries some risk, including:
81+
82+
- Minor changes in regex syntax.
83+
- Minor changes in regex semantics. For example, RE2 always interprets regexes in Unicode, and disagrees with JavaScript in its definition of whitespace. To avoid regressions, develop and test your regexes in the same regex engine that you use in production.
84+
- May not support some advanced features, such as look-aheads or back-references.
85+
- May have (minor) common-case performance degradation.
86+
- Increases size of distributable (e.g. RE2 includes a non-trivial C component).
87+
6888
::: warning ReDoS attack
6989
Some formats that [ajv-formats](https://github.com/ajv-validator/ajv-formats) package implements use [regular expressions](https://github.com/ajv-validator/ajv-formats/blob/master/src/formats.ts) that can be vulnerable to ReDoS attack.
7090
:::

0 commit comments

Comments
 (0)
Please sign in to comment.