test: ReDoS vulnerability of UUID regex

vbudovski · Jan 1, 2025 · bfd84ad · bfd84ad
1 parent d2460ce
commit bfd84ad
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/paseri-lib/src/schemas/string.test.ts b/paseri-lib/src/schemas/string.test.ts
@@ -236,7 +236,7 @@ test('Emoji ReDoS', () => {
     expect(diagnostics.status).toBe('safe');
 });
 
-test('Valid uuid', () => {
+test('Valid UUID', () => {
     const schema = p.string().uuid();
 
     fc.assert(
@@ -252,7 +252,7 @@ test('Valid uuid', () => {
     );
 });
 
-test('Invalid uuid', () => {
+test('Invalid UUID', () => {
     const schema = p.string().uuid();
 
     fc.assert(
@@ -270,6 +270,16 @@ test('Invalid uuid', () => {
     );
 });
 
+test('UUID ReDoS', () => {
+    const diagnostics = checkSync(uuidRegex.source, uuidRegex.flags);
+    if (diagnostics.status === 'vulnerable') {
+        console.log(`Vulnerable pattern: ${diagnostics.attack.pattern}`);
+    } else if (diagnostics.status === 'unknown') {
+        console.log(`Error: ${diagnostics.error.kind}.`);
+    }
+    expect(diagnostics.status).toBe('safe');
+});
+
 test('Valid Nano ID', () => {
     const schema = p.string().nanoid();
     // FIXME: fast-check doesn't like case-insensitive regexes.