The use of Regular Expressions (RegEx) is quite common among software engineers and DevOps IT roles where they specify a string pattern to match a specific string in a text.
Often, programmers will use RegEx to validate that an input received from a user conforms to an expected condition. For example:
Testing that a user's provided e-mail address is valid:
var testEmail = /^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/.exec('john@example.com');
The risk that is inherent with the use of Regular Expressions is the computational resources that require to parse text and match a given pattern. A flawed Regular Expression pattern can be attacked in a manner where a provided user input for text to match will require an outstanding amount of CPU cycles to process the RegEx execution. Such an attack will render a Node.js or JavaScript application unresponsive, and thus is referred to as a ReDoS — Regular Expression Denial of Service.
This rule aims to detect non-literal RegExp that may contains user's input!
Examples of incorrect code for this rule:
RegExp('/\w+/' + input);
// OR
RegExp(input);
Examples of correct code for this rule:
RegExp('/\w+/');