Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
path-to-regexp
Advanced tools
The path-to-regexp package is a utility for converting paths to and from regular expressions. It is commonly used for routing in web applications, allowing developers to define patterns for URL paths and extract parameters from them.
Path to RegExp Conversion
Convert a path string into a regular expression. It can also extract named parameter keys.
const { pathToRegexp } = require('path-to-regexp');
const keys = [];
const regexp = pathToRegexp('/user/:id', keys);
Extracting Parameters from a Path
Match a path against a pattern and extract the named parameters.
const { match } = require('path-to-regexp');
const matchFn = match('/user/:id');
const result = matchFn('/user/123');
// result.params will contain the extracted parameters
Compile Path to String
Compile a path function from a string pattern, which can then be used to construct paths with parameters.
const { compile } = require('path-to-regexp');
const toPath = compile('/user/:id');
const path = toPath({ id: 123 });
// path will be '/user/123'
Express is a web application framework for Node.js that includes its own routing capabilities, which are similar to path-to-regexp. Express uses path-to-regexp internally for its routing logic.
React Router is a routing library for React that uses path-to-regexp-like pattern matching for defining routes and extracting parameters, but it is specifically tailored for React applications.
url-pattern is another library for matching URLs against patterns and extracting parameters. It offers a similar API to path-to-regexp but with different syntax and additional options for pattern matching.
Turn a path string such as
/user/:name
into a regular expression.
npm install path-to-regexp --save
const { pathToRegexp, match, parse, compile } = require("path-to-regexp");
// pathToRegexp(path, keys?, options?)
// match(path)
// parse(path)
// compile(path)
The pathToRegexp
function will return a regular expression object based on the provided path
argument. It accepts the following arguments:
true
the regexp will be case sensitive. (default: false
)true
the regexp won't allow an optional trailing delimiter to match. (default: false
)true
the regexp will match to the end of the string. (default: true
)true
the regexp will match from the beginning of the string. (default: true
)[^/#?]
for :named
patterns. (default: '/#?'
)RegExp
. (default: x => x
)./
)const keys = [];
const regexp = pathToRegexp("/foo/:bar", keys);
// regexp = /^\/foo(?:\/([^\/#\?]+?))[\/#\?]?$/i
// keys = [{ name: 'bar', prefix: '/', suffix: '', pattern: '[^\\/#\\?]+?', modifier: '' }]
Please note: The RegExp
returned by path-to-regexp
is intended for ordered data (e.g. pathnames, hostnames). It can not handle arbitrarily ordered data (e.g. query strings, URL fragments, JSON, etc). When using paths that contain query strings, you need to escape the question mark (?
) to ensure it does not flag the parameter as optional.
The path argument is used to define parameters and populate keys.
Named parameters are defined by prefixing a colon to the parameter name (:foo
).
const regexp = pathToRegexp("/:foo/:bar");
// keys = [{ name: 'foo', prefix: '/', ... }, { name: 'bar', prefix: '/', ... }]
regexp.exec("/test/route");
//=> [ '/test/route', 'test', 'route', index: 0, input: '/test/route', groups: undefined ]
Please note: Parameter names must use "word characters" ([A-Za-z0-9_]
).
Parameters can have a custom regexp, which overrides the default match ([^/]+
). For example, you can match digits or names in a path:
const regexpNumbers = pathToRegexp("/icon-:foo(\\d+).png");
// keys = [{ name: 'foo', ... }]
regexpNumbers.exec("/icon-123.png");
//=> ['/icon-123.png', '123']
regexpNumbers.exec("/icon-abc.png");
//=> null
const regexpWord = pathToRegexp("/(user|u)");
// keys = [{ name: 0, ... }]
regexpWord.exec("/u");
//=> ['/u', 'u']
regexpWord.exec("/users");
//=> null
Tip: Backslashes need to be escaped with another backslash in JavaScript strings.
Parameters can be wrapped in {}
to create custom prefixes or suffixes for your segment:
const regexp = pathToRegexp("/:attr1?{-:attr2}?{-:attr3}?");
regexp.exec("/test");
// => ['/test', 'test', undefined, undefined]
regexp.exec("/test-test");
// => ['/test', 'test', 'test', undefined]
It is possible to write an unnamed parameter that only consists of a regexp. It works the same the named parameter, except it will be numerically indexed:
const regexp = pathToRegexp("/:foo/(.*)");
// keys = [{ name: 'foo', ... }, { name: 0, ... }]
regexp.exec("/test/route");
//=> [ '/test/route', 'test', 'route', index: 0, input: '/test/route', groups: undefined ]
Modifiers must be placed after the parameter (e.g. /:foo?
, /(test)?
, /:foo(test)?
, or {-:foo(test)}?
).
Parameters can be suffixed with a question mark (?
) to make the parameter optional.
const regexp = pathToRegexp("/:foo/:bar?");
// keys = [{ name: 'foo', ... }, { name: 'bar', prefix: '/', modifier: '?' }]
regexp.exec("/test");
//=> [ '/test', 'test', undefined, index: 0, input: '/test', groups: undefined ]
regexp.exec("/test/route");
//=> [ '/test/route', 'test', 'route', index: 0, input: '/test/route', groups: undefined ]
Tip: The prefix is also optional, escape the prefix \/
to make it required.
When dealing with query strings, escape the question mark (?
) so it doesn't mark the parameter as optional. Handling unordered data is outside the scope of this library.
const regexp = pathToRegexp("/search/:tableName\\?useIndex=true&term=amazing");
regexp.exec("/search/people?useIndex=true&term=amazing");
//=> [ '/search/people?useIndex=true&term=amazing', 'people', index: 0, input: '/search/people?useIndex=true&term=amazing', groups: undefined ]
// This library does not handle query strings in different orders
regexp.exec("/search/people?term=amazing&useIndex=true");
//=> null
Parameters can be suffixed with an asterisk (*
) to denote a zero or more parameter matches.
const regexp = pathToRegexp("/:foo*");
// keys = [{ name: 'foo', prefix: '/', modifier: '*' }]
regexp.exec("/");
//=> [ '/', undefined, index: 0, input: '/', groups: undefined ]
regexp.exec("/bar/baz");
//=> [ '/bar/baz', 'bar/baz', index: 0, input: '/bar/baz', groups: undefined ]
Parameters can be suffixed with a plus sign (+
) to denote a one or more parameter matches.
const regexp = pathToRegexp("/:foo+");
// keys = [{ name: 'foo', prefix: '/', modifier: '+' }]
regexp.exec("/");
//=> null
regexp.exec("/bar/baz");
//=> [ '/bar/baz','bar/baz', index: 0, input: '/bar/baz', groups: undefined ]
The match
function will return a function for transforming paths into parameters:
// Make sure you consistently `decode` segments.
const fn = match("/user/:id", { decode: decodeURIComponent });
fn("/user/123"); //=> { path: '/user/123', index: 0, params: { id: '123' } }
fn("/invalid"); //=> false
fn("/user/caf%C3%A9"); //=> { path: '/user/caf%C3%A9', index: 0, params: { id: 'café' } }
The match
function can be used to custom match named parameters. For example, this can be used to whitelist a small number of valid paths:
const urlMatch = match("/users/:id/:tab(home|photos|bio)", {
decode: decodeURIComponent,
});
urlMatch("/users/1234/photos");
//=> { path: '/users/1234/photos', index: 0, params: { id: '1234', tab: 'photos' } }
urlMatch("/users/1234/bio");
//=> { path: '/users/1234/bio', index: 0, params: { id: '1234', tab: 'bio' } }
urlMatch("/users/1234/otherstuff");
//=> false
You should make sure variations of the same path match the expected path
. Here's one possible solution using encode
:
const fn = match("/café", { encode: encodeURI });
fn("/caf%C3%A9"); //=> { path: '/caf%C3%A9', index: 0, params: {} }
Note: URL
encodes paths, so /café
would be normalized to /caf%C3%A9
and match in the above example.
Sometimes you won't have already normalized paths to use, so you could normalize it yourself before matching:
/**
* Normalize a pathname for matching, replaces multiple slashes with a single
* slash and normalizes unicode characters to "NFC". When using this method,
* `decode` should be an identity function so you don't decode strings twice.
*/
function normalizePathname(pathname: string) {
return (
decodeURI(pathname)
// Replaces repeated slashes in the URL.
.replace(/\/+/g, "/")
// Reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/normalize
// Note: Missing native IE support, may want to skip this step.
.normalize()
);
}
// Two possible ways of writing `/café`:
const re = pathToRegexp("/caf\u00E9");
const input = encodeURI("/cafe\u0301");
re.test(input); //=> false
re.test(normalizePathname(input)); //=> true
The parse
function will return a list of strings and keys from a path string:
const tokens = parse("/route/:foo/(.*)");
console.log(tokens[0]);
//=> "/route"
console.log(tokens[1]);
//=> { name: 'foo', prefix: '/', suffix: '', pattern: '[^\\/#\\?]+?', modifier: '' }
console.log(tokens[2]);
//=> { name: 0, prefix: '/', suffix: '', pattern: '.*', modifier: '' }
Note: This method only works with strings.
The compile
function will return a function for transforming parameters into a valid path:
// Make sure you encode your path segments consistently.
const toPath = compile("/user/:id", { encode: encodeURIComponent });
toPath({ id: 123 }); //=> "/user/123"
toPath({ id: "café" }); //=> "/user/caf%C3%A9"
toPath({ id: ":/" }); //=> "/user/%3A%2F"
// Without `encode`, you need to make sure inputs are encoded correctly.
// (Note: You can use `validate: false` to create an invalid paths.)
const toPathRaw = compile("/user/:id", { validate: false });
toPathRaw({ id: "%3A%2F" }); //=> "/user/%3A%2F"
toPathRaw({ id: ":/" }); //=> "/user/:/"
const toPathRepeated = compile("/:segment+");
toPathRepeated({ segment: "foo" }); //=> "/foo"
toPathRepeated({ segment: ["a", "b", "c"] }); //=> "/a/b/c"
const toPathRegexp = compile("/user/:id(\\d+)");
toPathRegexp({ id: 123 }); //=> "/user/123"
toPathRegexp({ id: "123" }); //=> "/user/123"
Note: The generated function will throw on invalid input.
Path-To-RegExp exposes the two functions used internally that accept an array of tokens:
tokensToRegexp(tokens, keys?, options?)
Transform an array of tokens into a matching regular expression.tokensToFunction(tokens)
Transform an array of tokens into a path generator function.name
The name of the token (string
for named or number
for unnamed index)prefix
The prefix string for the segment (e.g. "/"
)suffix
The suffix string for the segment (e.g. ""
)pattern
The RegExp used to match this token (string
)modifier
The modifier character used for the segment (e.g. ?
)Path-To-RegExp breaks compatibility with Express <= 4.x
:
RegExp
special characters regardless of position - this is considered a bug*
, +
and ?
. E.g. /:user*
*
) - use parameters instead ((.*)
or :splat*
)You can see a live demo of this library in use at express-route-tester.
MIT
FAQs
Express style path to RegExp utility
The npm package path-to-regexp receives a total of 51,683,510 weekly downloads. As such, path-to-regexp popularity was classified as popular.
We found that path-to-regexp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.