Cancel Regex match if timeout

You could spawn a child process that does the regex matching and kill it off if it hasn't completed in 10 seconds. Might be a bit overkill, but it should work.

fork is probably what you should use, if you go down this road.

If you'll forgive my non-pure functions, this code would demonstrate the gist of how you could communicate back and forth between the forked child process and your main process:

index.js

const { fork } = require('child_process');
const processPath = __dirname + '/regex-process.js';
const regexProcess = fork(processPath);
let received = null;

regexProcess.on('message', function(data) {
  console.log('received message from child:', data);
  clearTimeout(timeout);
  received = data;
  regexProcess.kill(); // or however you want to end it. just as an example.
  // you have access to the regex data here.
  // send to a callback, or resolve a promise with the value,
  // so the original calling code can access it as well.
});

const timeoutInMs = 10000;
let timeout = setTimeout(() => {
  if (!received) {
    console.error('regexProcess is still running!');
    regexProcess.kill(); // or however you want to shut it down.
  }
}, timeoutInMs);

regexProcess.send('message to match against');

regex-process.js

function respond(data) {
  process.send(data);
}

function handleMessage(data) {
  console.log('handing message:', data);
  // run your regex calculations in here
  // then respond with the data when it's done.

  // the following is just to emulate
  // a synchronous computational delay
  for (let i = 0; i < 500000000; i++) {
    // spin!
  }
  respond('return regex process data in here');
}

process.on('message', handleMessage);

This might just end up masking the real problem, though. You may want to consider reworking your regex like other posters have suggested.


Another solution I found here: https://www.josephkirwin.com/2016/03/12/nodejs_redos_mitigation/

Based on the use of VM, no process fork. That's pretty.

    const util = require('util');
    const vm = require('vm');

    var sandbox = {
        regex:/^(A+)*B/,
        string:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC",
        result: null
    };

    var context = vm.createContext(sandbox);
    console.log('Sandbox initialized: ' + vm.isContext(sandbox));
    var script = new vm.Script('result = regex.test(string);');
    try{
        // One could argue if a RegExp hasn't processed in a given time.
        // then, its likely it will take exponential time.
        script.runInContext(context, { timeout: 1000 }); // milliseconds
    } catch(e){
        console.log('ReDos occurred',e); // Take some remedial action here...
    }

    console.log(util.inspect(sandbox)); // Check the results