Add no-unsafe-regex rule (#146)

Author: bdougherty

docs/rules/no-unsafe-regex.md

@@ -0,0 +1,27 @@
+# Disallow unsafe regular expressions
+
+Uses [safe-regex](https://github.com/substack/safe-regex) to disallow potentially [catastrophic](http://regular-expressions.mobi/catastrophic.html) [exponential-time](http://perlgeek.de/blog-en/perl-tips/in-search-of-an-exponetial-regexp.html) regular expressions.
+
+## Fail
+
+```js
+const regex = /^(a?){25}(a){25}$/;
+const regex = RegExp(Array(27).join('a?') + Array(27).join('a'));
+const regex = /(x+x+)+y/;
+const regex = /foo|(x+x+)+y/;
+const regex = /(a+){10}y/;
+const regex = /(a+){2}y/;
+const regex = /(.*){1,32000}[bc]/;
+```
+
+
+## Pass
+
+```js
+const regex = /\bOakland\b/;
+const regex = /\b(Oakland|San Francisco)\b/i;
+const regex = /^\d+1337\d+$/i;
+const regex = /^\d+(1337|404)\d+$/i;
+const regex = /^\d+(1337|404)*\d+$/i;
+const regex = RegExp(Array(26).join('a?') + Array(26).join('a'));
+```

index.js

@@ -33,7 +33,8 @@ module.exports = {
 				'unicorn/new-for-builtins': 'error',
 				'unicorn/regex-shorthand': 'error',
 				'unicorn/prefer-spread': 'error',
-				'unicorn/error-message': 'error'
+				'unicorn/error-message': 'error',
+				'unicorn/no-unsafe-regex': 'error'
 			}
 		}
 	}

package.json

@@ -38,7 +38,8 @@
 		"lodash.camelcase": "^4.1.1",
 		"lodash.kebabcase": "^4.0.1",
 		"lodash.snakecase": "^4.0.1",
-		"lodash.upperfirst": "^4.2.0"
+		"lodash.upperfirst": "^4.2.0",
+		"safe-regex": "^1.1.0"
 	},
 	"devDependencies": {
 		"ava": "*",

readme.md

@@ -52,7 +52,8 @@ Configure it in `package.json`.
 			"unicorn/new-for-builtins": "error",
 			"unicorn/regex-shorthand": "error",
 			"unicorn/prefer-spread": "error",
-			"unicorn/error-message": "error"
+			"unicorn/error-message": "error",
+			"unicorn/no-unsafe-regex": "error"
 		}
 	}
 }
@@ -81,6 +82,7 @@ Configure it in `package.json`.
 - [regex-shorthand](docs/rules/regex-shorthand.md) - Enforce the use of regex shorthands to improve readability. *(fixable)*
 - [prefer-spread](docs/rules/prefer-spread.md) - Prefer the spread operator over `Array.from()`. *(fixable)*
 - [error-message](docs/rules/error-message.md) - Enforce passing a `message` value when throwing a built-in error.
+- [no-unsafe-regex](docs/rules/no-unsafe-regex.md) - Disallow unsafe regular expressions.
 
 
 ## Recommended config

rules/no-unsafe-regex.js

@@ -0,0 +1,59 @@
+'use strict';
+const safeRegex = require('safe-regex');
+const getDocsUrl = require('./utils/get-docs-url');
+
+const message = 'Unsafe regular expression.';
+
+const create = context => {
+	return {
+		'Literal[regex]': node => {
+			// Handle regex literal inside RegExp constructor in the other handler
+			if (node.parent.type === 'NewExpression' && node.parent.callee.name === 'RegExp') {
+				return;
+			}
+
+			if (!safeRegex(node.value)) {
+				context.report({
+					node,
+					message
+				});
+			}
+		},
+		'NewExpression[callee.name="RegExp"]': node => {
+			const args = node.arguments;
+
+			if (args.length === 0 || args[0].type !== 'Literal') {
+				return;
+			}
+
+			const hasRegExp = args[0].regex;
+
+			let pattern = null;
+			let flags = null;
+
+			if (hasRegExp) {
+				pattern = args[0].regex.pattern;
+				flags = args[1] && args[1].type === 'Literal' ? args[1].value : args[0].regex.flags;
+			} else {
+				pattern = args[0].value;
+				flags = args[1] && args[1].type === 'Literal' ? args[1].value : '';
+			}
+
+			if (!safeRegex(`/${pattern}/${flags}`)) {
+				context.report({
+					node,
+					message
+				});
+			}
+		}
+	};
+};
+
+module.exports = {
+	create,
+	meta: {
+		docs: {
+			url: getDocsUrl()
+		}
+	}
+};

test/no-unsafe-regex.js

@@ -0,0 +1,55 @@
+import test from 'ava';
+import avaRuleTester from 'eslint-ava-rule-tester';
+import rule from '../rules/no-unsafe-regex';
+
+const ruleTester = avaRuleTester(test, {
+	env: {
+		es6: true
+	},
+	parserOptions: {
+		sourceType: 'module'
+	}
+});
+
+const error = {
+	ruleId: 'no-unsafe-regex',
+	message: 'Unsafe regular expression.'
+};
+
+ruleTester.run('no-unsafe-regex', rule, {
+	valid: [
+		'const foo = /\bunicorn\b/',
+		'const foo = /\bunicorn\b/g',
+		`const foo = new RegExp('^\bunicorn\b')`,
+		`const foo = new RegExp('^\bunicorn\b', 'i')`,
+		'const foo = new RegExp(/\bunicorn\b/)',
+		'const foo = new RegExp(/\bunicorn\b/g)',
+		'const foo = new RegExp()'
+	],
+	invalid: [
+		{
+			code: 'const foo = /(x+x+)+y/',
+			errors: [error]
+		},
+		{
+			code: 'const foo = /(x+x+)+y/g',
+			errors: [error]
+		},
+		{
+			code: `const foo = new RegExp('(x+x+)+y')`,
+			errors: [error]
+		},
+		{
+			code: `const foo = new RegExp('(x+x+)+y', 'g')`,
+			errors: [error]
+		},
+		{
+			code: `const foo = new RegExp(/(x+x+)+y/)`,
+			errors: [error]
+		},
+		{
+			code: `const foo = new RegExp(/(x+x+)+y/g)`,
+			errors: [error]
+		}
+	]
+});