JS-Interpreter RegExp Demo

Pathological regular expressions can execute in geometric time. For example 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac'.match(/^(a+)+b/) will effectively crash many JavaScript runtimes. JS-Interpreter instances have three modes for handling regular expressions.

myInterpreter.REGEXP_MODE = 0

In mode 0, all regular expressions are disabled and throw an error. This is safe and works in every environment.

// All regular expressions will fail here. try { alert('hello'.search(/(.)\1+/)); } catch (e) { alert(e); }
Parse Step Run

myInterpreter.REGEXP_MODE = 1

In mode 1, all regular expressions are executed natively. This is potentially unsafe and works in every environment. Note that to exploit this vulnerability the malicious user generally needs to have access to setting both the regular expression and the matching string. And the worst case result is just a crash, not an escape from the sandbox.

// This regular expression is fine and returns 'll'. alert('hello'.match(/(.)\1+/)[0]);
Parse Step Run

myInterpreter.REGEXP_MODE = 2 (default mode)

In mode 2, all regular expressions are executed in a separate environment. In web browsers this means asynchronously in a Web Worker thread. In Node.js this means synchronously in a VM. If a regular expression takes more than myInterpreter.REGEXP_THREAD_TIMEOUT (default 1000 ms) then it is terminated and an error thrown. This is safe and works in most environments.

If neither Web Workers nor VMs are supported (such as Internet Explorer 9 or 10, or the JS-Intepreter interpreting itself, or some special enviornments such as browser extensions), then all regular expressions will throw an error (same as REGEXP_MODE 0).

// This regular expression is fine and returns 'aaac'. alert('aaac'.split(/^(a+)+b/)); try { // This regular expression is pathological and hits the timeout. alert('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac'.split(/^(a+)+b/)); } catch (e) { alert(e); }
Parse Step Run

Back to the JS-Interpreter documentation.