Do not use variable for regular expressions

Docs > Code Analysis > Static Analysis Rules > Do not use variable for regular expressions

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: javascript-browser-security/regexp-non-literal

Language: JavaScript

Severity: Warning

Category: Security

CWE: 1333

Description

Regular expressions should not use a variable as an argument since an attacker may inject values and cause a regular expression denial of service (ReDoS). Instead, use a library like recheck to check that no ReDoS can be triggered by a regular expression.

Non-Compliant Code Examples

const foo = new RegExp(req.something);
const bar = new RegExp(variable);

Compliant Code Examples

const TAG = "<tag>";

const foo = new RegExp(`^\\d+-${topicId}$`);
const foo = new RegExp(/something/);
const foo = new RegExp("weofiwje");
const foo = new RegExp(TAG, 'g');