Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
A library for finite automata and regular expressions in the context of JS RegExp
A library for regular expressions (RE) and finite automata (FA) in the context of Javascript RegExp.
refa is a general library for DFA, NFA, and REs of formal regular languages. It also includes methods to easily convert from JS RegExp to the internal RE AST and vice versa.
Get refa from NPM:
npm i --save refa
or
yarn add refa
Conversions
DFA, NFA, and ENFA operations
DFA specific operations
NFA and ENFA specific operations
AST transformations
JavaScript RegExp
See the API documentation for a complete list of all currently implemented operations.
refa uses its own AST format to represent regular expressions. The RE AST format is language agnostic and relatively simple.
It supports:
ab
)a|b
)a{4,6}
, a{2,}?
, a?
, a*
)(?=a)
, (?<!a)
)Some features like atomic groups and capturing groups are not supported (but might be added in the future).
For information on how to parse JS RegExp and convert RE AST to JS RegExp, see the JS
namespace.
refa does not use JavaScript strings represent characters or a sequences of characters. Instead it uses integers to represent characters (see the Char
type) and arrays of numbers to represent words/strings (see the Word
type).
This means that any text encoding can be used.
The Words
namespace contains functions to convert JavaScript data into refa-compatible words and characters.
For the sets of characters, the CharSet
class is used.
This library will never be able to support some modern features of regex engines such as backreferences and recursion because these features, generally, cannot be be represented by a DFA or NFA.
refa is a relatively low-level library. It only provides the basic building blocks. In the following examples, JS RegExps are used a lot so we will define a few useful helper function beforehand.
import { DFA, FiniteAutomaton, JS, NFA } from "refa";
function toNFA(regex: RegExp): NFA {
const { expression, maxCharacter } = JS.Parser.fromLiteral(regex).parse();
return NFA.fromRegex(expression, { maxCharacter });
}
function toDFA(regex: RegExp): DFA {
return DFA.fromFA(toNFA(regex));
}
function toRegExp(fa: FiniteAutomaton): RegExp {
const literal = JS.toLiteral(fa.toRegex());
return new RegExp(literal.source, literal.flags);
}
toNFA
parses the given RegExp and constructs a new NFA from the parsed AST.toDFA
constructs a new NFA from the RegExp first and then converts that NFA into a new DFA.toRegex
takes an FA (= NFA or DFA) and converts it into a RegExp.import { Words } from "refa";
const regex = /\w+\d+/;
const nfa = toNFA(regex);
console.log(nfa.test(Words.fromStringToUTF16("abc")));
// => false
console.log(nfa.test(Words.fromStringToUTF16("123")));
// => true
console.log(nfa.test(Words.fromStringToUTF16("abc123")));
// => true
console.log(nfa.test(Words.fromStringToUTF16("123abc")));
// => false
const regex1 = /a+B+c+/i;
const regex2 = /Ab*C\d?/;
const intersection = NFA.fromIntersection(toNFA(regex1), toNFA(regex2));
console.log(toRegExp(intersection));
// => /Ab+C/
const regex = /a+b*/i;
const dfa = toDFA(regex);
dfa.complement();
console.log(toRegExp(dfa));
// => /(?:(?:[^A]|A+(?:[^AB]|B+[^B]))[^]*)?/i
In the above examples, we have been using the toNFA
helper function to parse and convert RegExps. This function assumes that the given RegExp is a pure regular expression without assertions and backreferences and will throw an error if the assumption is not met.
However, the JS parser and NFA.fromRegex
provide some options to work around and even solve this problem.
Firstly, the parser will automatically resolve simple backreferences. Even toNFA
will do this since it's on by default:
console.log(toRegExp(toNFA(/("|').*?\1/)));
// => /".*"|'.*'/i
But it will throw an error for non-trivial backreferences that cannot be resolved:
toNFA(/(#+).*\1|foo/);
// Error: Backreferences are not supported.
The only way to parse the RegExp despite unresolvable backreferences is to remove the backreferences. This means that the result will be imperfect but it might still be useful.
const regex = /(#+).*\1|foo/;
const { expression } =
JS.Parser.fromLiteral(regex).parse({ backreferences: "disable" });
console.log(JS.toLiteral(expression));
// => { source: 'foo', flags: '' }
Note that the foo
alternative is kept because it is completely unaffected by the unresolvable backreferences.
While the parser and AST format can handle assertions, the NFA construction cannot.
const regex = /\b(?!\d)\w+\b|->/;
const { expression, maxCharacter } = JS.Parser.fromLiteral(regex).parse();
console.log(JS.toLiteral(expression));
// => { source: '\\b(?!\\d)\\w+\\b|->', flags: 'i' }
NFA.fromRegex(expression, { maxCharacter });
// Error: Assertions are not supported yet.
Similarly to backreferences, we can let the parser remove them:
const regex = /\b(?!\d)\w+\b|->/;
const { expression, maxCharacter } =
JS.Parser.fromLiteral(regex).parse({ assertions: "disable" });
console.log(JS.toLiteral(expression));
// => { source: '->', flags: 'i' }
const nfa = NFA.fromRegex(expression, { maxCharacter });
console.log(toRegExp(nfa));
// => /->/i
Or we can let the NFA construction method remove them:
const regex = /\b(?!\d)\w+\b|->/;
const { expression, maxCharacter } = JS.Parser.fromLiteral(regex).parse();
console.log(JS.toLiteral(expression));
// => { source: '\\b(?!\\d)\\w+\\b|->', flags: 'i' }
const nfa = NFA.fromRegex(expression, { maxCharacter }, { assertions: "disable" });
console.log(toRegExp(nfa));
// => /->/i
Prefer using the parser to remove assertions if possible. The parser is quite clever and will optimize based on that assertions can be removed resulting in faster parse times.
However, simply removing assertions is not ideal since they are a lot more common than backreferences. To work around this, refa has AST transformers. AST transformers can make changes to a given AST. While each transformer is rather simple, they can also work together to accomplish more complex tasks. Applying and removing assertions is one such task.
The simplest transformer to remove assertions (among other things) is the simplify
transformer. It will inline expressions, remove dead branches, apply/remove assertions, optimize quantifiers, and more.
import { JS, NFA, Transformers, transform } from "refa";
const regex = /\b(?!\d)\w+\b|->/;
const { expression, maxCharacter } = JS.Parser.fromLiteral(regex).parse();
console.log(JS.toLiteral(expression));
// => { source: '\\b(?!\\d)\\w+\\b|->', flags: '' }
const modifiedExpression = transform(Transformers.simplify(), expression);
console.log(JS.toLiteral(modifiedExpression));
// => { source: '(?<!\\w)[A-Z_]\\w*(?!\\w)|->', flags: 'i' }
// Most assertions have been removed but the patterns are still equivalent.
// The only assertions left assert characters beyond the edge of the pattern.
// Removing those assertions is easy but slightly changes the pattern.
const finalExpression = transform(Transformers.patternEdgeAssertions({ remove: true }), modifiedExpression);
console.log(JS.toLiteral(finalExpression));
// => { source: '[A-Z_]\\w*|->', flags: 'i' }
const nfa = NFA.fromRegex(finalExpression, { maxCharacter });
console.log(JS.toLiteral(nfa.toRegex()));
// => { source: '->|[A-Z_]\\w*', flags: 'i' }
AST transformers can handle a lot of assertions, but there are limitations. Transformers cannot handle assertions that are too complex or require large-scale changes to the AST. Let's take a look at a few examples:
import { JS, Transformers, transform } from "refa";
function simplify(regex: RegExp): void {
const { expression } = JS.Parser.fromLiteral(regex).parse();
const simplifiedExpression = transform(Transformers.simplify(), expression);
const literal = JS.toLiteral(simplifiedExpression);
console.log(new RegExp(literal.source, literal.flags));
}
simplify(/\b(?!\d)\b\w+\b\s*\(/);
// => /(?<!\w)[A-Z_]\w*\s*\(/i
simplify(/(?:^|@)\b\w+\b/);
// => /(?:^|@)\w+(?!\w)/
simplify(/"""(?:(?!""").)*"""/s);
// => /"""(?:"{0,2}[^"])*"""/
simplify(/"""((?!""")(?:[^\\]|\\"))*"""/);
// => /"""(?:"{0,2}(?:[^"\\]|\\"))*"""/
simplify(/<title>(?:(?!<\/title>).)*<\/title>/s);
// => /<title>(?:[^<]|<+(?:[^/<]|\/(?!title>)))*<+\/title>/
simplify(/^```$.*?^```$/ms);
// => /^```[\n\r\u2028\u2029](?:[^]*?[\n\r\u2028\u2029])??```$/m
Transformers.simplify
is very aggressive when it comes to assertions. It will try to remove assertions whenever possible even if it means that the overall AST will become more complex (within some limits). This may result in longer/more complex regexes, but it will also allow NFA
and ENFA
to support many more regexes.
0.12.1 (2023-09-13)
CharMap#{size,entryCount}
to get the size of a map.CharMap#copy
to create a (mapped) copy of a map.StringSet#{is{Proper,}{Subset,Superset}Of,isDisjointWith}
for set relations.UnicodeSet#{is{Proper,}{Subset,Superset}Of,isDisjointWith}
for set relations.UnicodeSet#{wordSets,maximum}
for a more ergonomic API.UnicodeSet#{equals,union,intersect,without}
allow CharSet
s.StringSet#words
private. This should have never been public in the first place.StringSet.empty
readonly.range
parameter from CharMap#entries
.StringSet#{equals,union}
.StringSet#{filter,map}
. These methods should have never been public in the first place.FAQs
A library for finite automata and regular expressions in the context of JS RegExp
The npm package refa receives a total of 560,589 weekly downloads. As such, refa popularity was classified as popular.
We found that refa demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.