Potential Regular Expression Denial of Service (ReDoS) in valid-var-jsdoc

[yetingli]

Type of Issue
Potential Regular Expression Denial of Service (ReDoS)

Description
The vulnerable regular expressions are located in

fecs/lib/js/rules/valid-var-jsdoc.js

Line 28 in 6b01e8f

var CONST_PATTERN = /^[A-Z]([A-Z\d$]+_?)*[A-Z\d$]$/;

fecs/lib/js/rules/valid-var-jsdoc.js

Line 36 in 6b01e8f

var PASCAL_PATTERN = /^([A-Z][a-zA-Z\d$]+)+$/;

The ReDOS vulnerabilities can be exploited with the following string
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_

You can execute the following code to reproduce ReDos

var rule = require('../../../../lib/js/rules/valid-var-jsdoc');
var RuleTester = require('eslint').RuleTester;

var ruleTester = new RuleTester({parser: 'babel-eslint'});

ruleTester.run('valid-var-jsdoc', rule, {
    invalid: [
        'var AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_ = 1;',
        'const AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_ = 1;',
    ],
});

I think you can limit the input length or modify this regex.

[yetingli]

Hi,
For the CONST_PATTERN, I am willing to suggest that you replace /^[A-Z]([A-Z\d$]+_?)*[A-Z\d$]$/ with /^[A-Z]([A-Z\d$]_?)*[A-Z\d$]$/

For the PASCAL_PATTERN, you can replace /^([A-Z][a-zA-Z\d$]+)+$/ with /^([A-Z][a-zA-Z\d$]+)$/

These are equivalent fixes and the fixed regexes are safe.