Potential Regular Expression Denial of Service (ReDoS) in valid-var-jsdoc

**Type of Issue**
Potential Regular Expression Denial of Service (ReDoS)

**Description**
The vulnerable regular expressions are located in

https://github.com/ecomfe/fecs/blob/6b01e8fc808e450de6fd2fc24cb9aacd58ba5ef6/lib/js/rules/valid-var-jsdoc.js#L28

https://github.com/ecomfe/fecs/blob/6b01e8fc808e450de6fd2fc24cb9aacd58ba5ef6/lib/js/rules/valid-var-jsdoc.js#L36

The ReDOS vulnerabilities  can be exploited with the following string
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_`

You can execute the following code to reproduce ReDos

```Javascript
var rule = require('../../../../lib/js/rules/valid-var-jsdoc');
var RuleTester = require('eslint').RuleTester;

var ruleTester = new RuleTester({parser: 'babel-eslint'});

ruleTester.run('valid-var-jsdoc', rule, {
    invalid: [
        'var AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_ = 1;',
        'const AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_ = 1;',
    ],
});
```




I think you can limit the input length or modify this regex.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Potential Regular Expression Denial of Service (ReDoS) in valid-var-jsdoc #362

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Potential Regular Expression Denial of Service (ReDoS) in valid-var-jsdoc #362

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions