safe-regex - npm Package Compare versions

Comparing version 1.1.0 to 2.0.0

index.js

@@ -1,39 +0,46 @@
-var parse = require('ret');
-var types = parse.types;
+const regexpTree = require('regexp-tree');
 
 module.exports = function (re, opts) {
-    if (!opts) opts = {};
-    var replimit = opts.limit === undefined ? 25 : opts.limit;
-    
-    if (isRegExp(re)) re = re.source;
-    else if (typeof re !== 'string') re = String(re);
-    
-    try { re = parse(re) }
-    catch (err) { return false }
-    
-    var reps = 0;
-    return (function walk (node, starHeight) {
-        if (node.type === types.REPETITION) {
-            starHeight ++;
-            reps ++;
-            if (starHeight > 1) return false;
-            if (reps > replimit) return false;
+  if (!opts) opts = {};
+  const replimit = opts.limit === undefined ? 25 : opts.limit;
+
+  let pattern = null;
+  if (isRegExp(re)) pattern = re.source;
+  else if (typeof re === 'string') pattern = re;
+  else pattern = String(re);
+
+  let ast = null;
+  try {
+    ast = regexpTree.parse(pattern);
+  } catch (err) {
+    try {
+      ast = regexpTree.parse(`/${pattern}/`); }
+    catch (err) {
+      return false;
+    }
+  }
+
+  let currentStarHeight = 0;
+  let maxObservedStarHeight = 0;
+
+  let repetitionCount = 0;
+
+  regexpTree.traverse(ast, {
+    'Repetition': {
+      pre ({node}) {
+        repetitionCount++;
+
+        currentStarHeight++;
+        if (maxObservedStarHeight < currentStarHeight) {
+          maxObservedStarHeight = currentStarHeight;
         }
-        
-        if (node.options) {
-            for (var i = 0, len = node.options.length; i < len; i++) {
-                var ok = walk({ stack: node.options[i] }, starHeight);
-                if (!ok) return false;
-            }
-        }
-        var stack = node.stack || (node.value && node.value.stack);
-        if (!stack) return true;
-        
-        for (var i = 0; i < stack.length; i++) {
-            var ok = walk(stack[i], starHeight);
-            if (!ok) return false;
-        }
-        
-        return true;
-    })(re, 0);
+      },
+
+      post ({node}) {
+        currentStarHeight--;
+      }
+    }
+  });
+
+  return (maxObservedStarHeight <= 1) && (repetitionCount <= replimit);
 };
@@ -40,0 +47,0 @@

package.json

 {
   "name": "safe-regex",
-  "version": "1.1.0",
+  "version": "2.0.0",
   "description": "detect possibly catastrophic, exponential-time regular expressions",
   "main": "index.js",
   "dependencies": {
-    "ret": "~0.1.10"
+    "regexp-tree": "~0.0.85"
   },
@@ -27,5 +27,5 @@ "devDependencies": {
     "type": "git",
-    "url": "git://github.com/substack/safe-regex.git"
+    "url": "git://github.com/davisjam/safe-regex.git"
   },
-  "homepage": "https://github.com/substack/safe-regex",
+  "homepage": "https://github.com/davisjam/safe-regex",
   "keywords": [
@@ -39,7 +39,7 @@ "catastrophic",
   "author": {
-    "name": "James Halliday",
-    "email": "mail@substack.net",
-    "url": "http://substack.net"
+    "name": "James C. (Jamie) Davis",
+    "email": "davisjam@vt.edu",
+    "url": "http://people.cs.vt.edu/~davisjam"
   },
   "license": "MIT"
 }

test/regex.js

@@ -10,3 +10,7 @@ var safe = require('../');
     /^\d+(1337|404)*\d+$/i,
+    /(a+)|(b+)/,
     RegExp(Array(26).join('a?') + Array(26).join('a')),
+    // String input.
+    'aaa',
+    '/^\d+(1337|404)*\d+$/'
 ];
@@ -29,3 +33,10 @@
     /(a+){2}y/,
-    /(.*){1,32000}[bc]/
+    /(.*){1,32000}[bc]/,
+    // Star height with branching and nesting.
+    /(a*|b)+$/,
+    /(a|b*)+$/,
+    /(((b*)))+$/,
+    /(((b*))+)$/,
+    // String input.
+    '(a+)+'
 ];
@@ -32,0 +43,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

No website

Quality

Package does not have a website.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

6297

increased by7.27%

Number of package files

8

increased by14.29%

Lines of code

97

increased by19.75%

Number of low quality alerts

0

decreased by-100%

Worsened metrics

Number of lines in readme file

64

decreased by-3.03%

Number of medium supply chain risk alerts

1

increased byInfinity%

Dependency changes

• + Addedregexp-tree@~0.0.85

• + Addedansi-regex@2.1.13.0.1(transitive)

• + Addedcamelcase@4.1.0(transitive)

• + Addedcli-table3@0.5.1(transitive)

• + Addedcliui@4.1.0(transitive)

• + Addedcode-point-at@1.1.0(transitive)

• + Addedcolors@1.4.0(transitive)

• + Addedcross-spawn@5.1.0(transitive)

• + Addeddecamelize@1.2.0(transitive)

• + Addedexeca@0.7.0(transitive)

• + Addedfind-up@2.1.0(transitive)

• + Addedget-caller-file@1.0.3(transitive)

• + Addedget-stream@3.0.0(transitive)

• + Addedinvert-kv@1.0.0(transitive)

• + Addedis-fullwidth-code-point@1.0.02.0.0(transitive)

• + Addedis-stream@1.1.0(transitive)

• + Addedisexe@2.0.0(transitive)

• + Addedlcid@1.0.0(transitive)

• + Addedlocate-path@2.0.0(transitive)

• + Addedlru-cache@4.1.5(transitive)

• + Addedmem@1.1.0(transitive)

• + Addedmimic-fn@1.2.0(transitive)

• + Addednpm-run-path@2.0.2(transitive)

• + Addednumber-is-nan@1.0.1(transitive)

• + Addedobject-assign@4.1.1(transitive)

• + Addedos-locale@2.1.0(transitive)

• + Addedp-finally@1.0.0(transitive)

• + Addedp-limit@1.3.0(transitive)

• + Addedp-locate@2.0.0(transitive)

• + Addedp-try@1.0.0(transitive)

• + Addedpath-exists@3.0.0(transitive)

• + Addedpath-key@2.0.1(transitive)

• + Addedpseudomap@1.0.2(transitive)

• + Addedregexp-tree@0.0.86(transitive)

• + Addedrequire-directory@2.1.1(transitive)

• + Addedrequire-main-filename@1.0.1(transitive)

• + Addedset-blocking@2.0.0(transitive)

• + Addedshebang-command@1.2.0(transitive)

• + Addedshebang-regex@1.0.0(transitive)

• + Addedsignal-exit@3.0.7(transitive)

• + Addedstring-width@1.0.22.1.1(transitive)

• + Addedstrip-ansi@3.0.14.0.0(transitive)

• + Addedstrip-eof@1.0.0(transitive)

• + Addedwhich@1.3.1(transitive)

• + Addedwhich-module@2.0.1(transitive)

• + Addedwrap-ansi@2.1.0(transitive)

• + Addedy18n@3.2.2(transitive)

• + Addedyallist@2.1.2(transitive)

• + Addedyargs@10.1.2(transitive)

• + Addedyargs-parser@8.1.0(transitive)

• - Removedret@~0.1.10

• - Removedret@0.1.15(transitive)