find-my-way - npm Package Compare versions

Comparing version 1.12.0 to 1.13.0

index.js

@@ -17,2 +17,3 @@ 'use strict'
 const fastDecode = require('fast-decode-uri-component')
+const isRegexSafe = require('safe-regex')
 const Node = require('./node')
@@ -37,2 +38,3 @@ const NODE_TYPES = Node.prototype.types
   this.maxParamLength = opts.maxParamLength || 100
+  this.allowUnsafeRegex = opts.allowUnsafeRegex || false
   this.tree = new Node()
@@ -114,3 +116,8 @@ this.routes = []
       var regex = isRegex ? parameter.slice(parameter.indexOf('('), i) : null
-      if (isRegex) regex = new RegExp(regex)
+      if (isRegex) {
+        regex = new RegExp(regex)
+        if (!this.allowUnsafeRegex) {
+          assert(isRegexSafe(regex), `The regex '${regex.toString()}' is not safe!`)
+        }
+      }
       params.push(parameter.slice(0, isRegex ? parameter.indexOf('(') : i))
@@ -117,0 +124,0 @@

package.json

 {
   "name": "find-my-way",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "description": "Crazy fast http radix based router",
@@ -37,4 +37,5 @@ "main": "index.js",
   "dependencies": {
-    "fast-decode-uri-component": "^1.0.0"
+    "fast-decode-uri-component": "^1.0.0",
+    "safe-regex": "^1.1.0"
   }
 }

README.md

@@ -70,2 +70,10 @@ # find-my-way
 ```
+
+If you are using a regex based route, `find-my-way` will throw an error if detects potentially catastrophic exponential-time regular expressions *(internally uses [`safe-regex`](https://github.com/substack/safe-regex))*.<br/>
+If you want to disable this behavior, pass the option `allowUnsafeRegex`.
+```js
+const router = require('find-my-way')({
+  allowUnsafeRegex: true
+})
+```
 <a name="on"></a>
@@ -72,0 +80,0 @@ #### on(method, path, handler, [store])

test/issue-62.test.js

 'use strict'
 
 const t = require('tap')
-const factory = require('../')
+const FindMyWay = require('../')
 
@@ -11,19 +11,19 @@ const noop = function () {}
 
-  const fmw = factory()
+  const findMyWay = FindMyWay({ allowUnsafeRegex: true })
 
-  fmw.on('GET', '/foo/:id(([a-f0-9]{3},?)+)', noop)
+  findMyWay.on('GET', '/foo/:id(([a-f0-9]{3},?)+)', noop)
 
-  t.notOk(fmw.find('GET', '/foo/qwerty'))
-  t.ok(fmw.find('GET', '/foo/bac,1ea'))
+  t.notOk(findMyWay.find('GET', '/foo/qwerty'))
+  t.ok(findMyWay.find('GET', '/foo/bac,1ea'))
 })
 
 t.test('issue-62 - escape chars', (t) => {
-  const fmw = factory()
+  const findMyWay = FindMyWay()
 
   t.plan(2)
 
-  fmw.get('/foo/:param(\\([a-f0-9]{3}\\))', noop)
+  findMyWay.get('/foo/:param(\\([a-f0-9]{3}\\))', noop)
 
-  t.notOk(fmw.find('GET', '/foo/abc'))
-  t.ok(fmw.find('GET', '/foo/(abc)'))
+  t.notOk(findMyWay.find('GET', '/foo/abc'))
+  t.ok(findMyWay.find('GET', '/foo/(abc)'))
 })

test/regex.test.js

@@ -146,1 +146,96 @@ 'use strict'
 })
+
+test('Should check if a regex is safe to use', t => {
+  t.plan(13)
+
+  const noop = () => {}
+
+  // https://github.com/substack/safe-regex/blob/master/test/regex.js
+  const good = [
+    /\bOakland\b/,
+    /\b(Oakland|San Francisco)\b/i,
+    /^\d+1337\d+$/i,
+    /^\d+(1337|404)\d+$/i,
+    /^\d+(1337|404)*\d+$/i,
+    RegExp(Array(26).join('a?') + Array(26).join('a'))
+  ]
+
+  const bad = [
+    /^(a?){25}(a){25}$/,
+    RegExp(Array(27).join('a?') + Array(27).join('a')),
+    /(x+x+)+y/,
+    /foo|(x+x+)+y/,
+    /(a+){10}y/,
+    /(a+){2}y/,
+    /(.*){1,32000}[bc]/
+  ]
+
+  const findMyWay = FindMyWay()
+
+  good.forEach(regex => {
+    try {
+      findMyWay.on('GET', `/test/:id(${regex.toString()})`, noop)
+      t.pass('ok')
+      findMyWay.off('GET', `/test/:id(${regex.toString()})`, noop)
+    } catch (err) {
+      t.fail(err)
+    }
+  })
+
+  bad.forEach(regex => {
+    try {
+      findMyWay.on('GET', `/test/:id(${regex.toString()})`, noop)
+      t.fail('should throw')
+    } catch (err) {
+      t.ok(err)
+    }
+  })
+})
+
+test('Disable safe regex check', t => {
+  t.plan(13)
+
+  const noop = () => {}
+
+  // https://github.com/substack/safe-regex/blob/master/test/regex.js
+  const good = [
+    /\bOakland\b/,
+    /\b(Oakland|San Francisco)\b/i,
+    /^\d+1337\d+$/i,
+    /^\d+(1337|404)\d+$/i,
+    /^\d+(1337|404)*\d+$/i,
+    RegExp(Array(26).join('a?') + Array(26).join('a'))
+  ]
+
+  const bad = [
+    /^(a?){25}(a){25}$/,
+    RegExp(Array(27).join('a?') + Array(27).join('a')),
+    /(x+x+)+y/,
+    /foo|(x+x+)+y/,
+    /(a+){10}y/,
+    /(a+){2}y/,
+    /(.*){1,32000}[bc]/
+  ]
+
+  const findMyWay = FindMyWay({ allowUnsafeRegex: true })
+
+  good.forEach(regex => {
+    try {
+      findMyWay.on('GET', `/test/:id(${regex.toString()})`, noop)
+      t.pass('ok')
+      findMyWay.off('GET', `/test/:id(${regex.toString()})`, noop)
+    } catch (err) {
+      t.fail(err)
+    }
+  })
+
+  bad.forEach(regex => {
+    try {
+      findMyWay.on('GET', `/test/:id(${regex.toString()})`, noop)
+      t.pass('ok')
+      findMyWay.off('GET', `/test/:id(${regex.toString()})`, noop)
+    } catch (err) {
+      t.fail(err)
+    }
+  })
+})

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

113018

increased by2.58%

Lines of code

3313

increased by2.73%

Number of lines in readme file

257

increased by3.21%

Worsened metrics

Dependency count

2

increased by100%

Dependency changes

• + Addedsafe-regex@^1.1.0

• + Addedret@0.1.15(transitive)

• + Addedsafe-regex@1.1.0(transitive)