regexSuperLinearBacktracking
Reports regular expressions with exponential or polynomial backtracking.
✅ This rule is included in the ts logical presets.
Reports regular expressions that can cause exponential or polynomial backtracking. These patterns can be exploited to cause Regular Expression Denial of Service (ReDoS) attacks, where a malicious input string causes the regex engine to take an extremely long time to process.
Examples
Section titled “Examples”Self-Referential Quantifiers
Section titled “Self-Referential Quantifiers”When a quantifier can reach itself through a parent quantifier, it can cause exponential backtracking.
const pattern = /(?:a+)+/;const pattern = /b(?:a+)+b/;const pattern = /(?:a)+/;const pattern = /ba+b/;Trading Quantifiers
Section titled “Trading Quantifiers”When two quantifiers can exchange characters, it causes polynomial backtracking.
const pattern = /\ba+a+$/;const pattern = /\b\w+a\w+$/;const pattern = /\ba+$/;const pattern = /\b\w+a$/;RegExp Constructor
Section titled “RegExp Constructor”The rule also applies to patterns created with the RegExp constructor.
const pattern = new RegExp("(?:a+)+");const pattern = new RegExp("(?:a)+");Options
Section titled “Options”This rule is not configurable.
When Not To Use It
Section titled “When Not To Use It”If you are confident that your regular expressions will only be used with trusted input that cannot be manipulated by attackers, you might consider disabling this rule.