Detect usage of dynamic RegExps

[fraxken]

There is currently a lot of situations where we are missing dynamic RegExps. Ref and examples here: nodejs/security-wg#208

We should probably use the new Tracer to detect those cases (extension, proxy ...).

[fraxken]

One major issue if the fact that we analyze files one by one. It make the tracing of Proxies (and similar) impossible.

[jean-michelet]

One major issue if the fact that we analyze files one by one. It make the tracing of Proxies (and similar) impossible.

Can we create an Env class, do an initial traversal of the program's entire AST, storing all the things we should be aware of, and exploit it during analysis?

[fraxken]

Can we create an Env class, do an initial traversal of the program's entire AST, storing all the things we should be aware of, and exploit it during analysis?

No on multiple files it will cost an insane amount of memory. The only viable solution is to think "multiple iterations"

• First iteration to walk, generate tree and report suspect nodes
• Second iteration: look for suspect nodes

Kind of..

[fraxken]

Ok to be able to start solving this issue, let's begin with a probe that work in a single file

class MyRegExp extends RegExp {
    constructor(...args) {
        super(...args);
    }
}

const d = new MyRegExp('^node_modules\\/(@[^/]+\\/?[^/]+|[^/]+)(\\/.*)?$');

This code should detect one warning of kind unsafe-regex. We will work to support the Proxy pattern later.

[jean-michelet]

OK, looking into it.