/** * Safe regex utilities using ast-guard's ReDoS analysis. * * These utilities protect against ReDoS (Regular Expression Denial of Service) * attacks by validating patterns and enforcing input length limits. */ import { REDOS_THRESHOLDS } from '@enclave-vm/ast'; /** * Default maximum input length for safe regex operations. * Inputs longer than this will be rejected to prevent ReDoS attacks. */ export declare const DEFAULT_MAX_INPUT_LENGTH = 50000; /** * Configuration options for safe regex operations. */ export interface SafeRegexOptions { /** * Maximum input length to process. * If input exceeds this, operations return null/fallback. * @default 50000 */ maxInputLength?: number; /** * Analysis level for pattern vulnerability detection. * - 'catastrophic': Only detect exponential-time vulnerabilities (faster) * - 'polynomial': Also detect polynomial-time vulnerabilities (more thorough) * @default 'polynomial' */ level?: 'catastrophic' | 'polynomial'; /** * If true, throw an error when pattern is vulnerable instead of returning null. * @default false */ throwOnVulnerable?: boolean; } /** * Result from pattern analysis. */ export interface PatternAnalysisResult { /** Whether the pattern is safe to use */ safe: boolean; /** Vulnerability score (0-100, higher = more vulnerable) */ score: number; /** Type of vulnerability detected, if any */ vulnerabilityType?: string; /** Human-readable explanation of the vulnerability */ explanation?: string; } /** * Analyze a regex pattern for ReDoS vulnerability. * * Uses ast-guard's analyzeForReDoS to detect patterns that could cause * exponential or polynomial backtracking on malicious input. * * @param pattern - Regex pattern to analyze (string or RegExp) * @param level - Analysis level: 'catastrophic' or 'polynomial' * @returns Analysis result with safety assessment * * @example * ```typescript * const result = analyzePattern('(a+)+'); * // result.safe === false (nested quantifiers) * * const result2 = analyzePattern('[a-z]+'); * // result2.safe === true * ``` */ export declare function analyzePattern(pattern: string | RegExp, level?: 'catastrophic' | 'polynomial'): PatternAnalysisResult; /** * Check if a regex pattern is safe from ReDoS vulnerabilities. * * @param pattern - Regex pattern to check (string or RegExp) * @param level - Analysis level: 'catastrophic' or 'polynomial' * @returns true if pattern is safe, false if vulnerable * * @example * ```typescript * isPatternSafe('(a+)+'); // false - nested quantifiers * isPatternSafe('[a-z]+'); // true * isPatternSafe(/^foo$/); // true * ``` */ export declare function isPatternSafe(pattern: string | RegExp, level?: 'catastrophic' | 'polynomial'): boolean; /** * Create a validated RegExp that has been checked for ReDoS vulnerabilities. * * @param pattern - Pattern string * @param flags - Optional regex flags * @param options - Safety options * @returns RegExp if pattern is safe, null if vulnerable or invalid * * @example * ```typescript * const regex = createSafeRegExp('[a-z]+', 'g'); * if (regex) { * // Pattern is safe to use * } * ``` */ export declare function createSafeRegExp(pattern: string, flags?: string, options?: SafeRegexOptions): RegExp | null; /** * Execute regex test() with input length protection. * * Returns null if input exceeds maxInputLength to prevent ReDoS attacks. * * @param pattern - RegExp to test with * @param input - String to test * @param options - Safety options including maxInputLength * @returns Match result, or null if input is too long * * @example * ```typescript * const result = safeTest(/foo/, userInput, { maxInputLength: 10000 }); * if (result === null) { * // Input was too long, rejected for safety * } else if (result) { * // Pattern matched * } * ``` */ export declare function safeTest(pattern: RegExp, input: string, options?: SafeRegexOptions): boolean | null; /** * Execute regex match() with input length protection. * * Returns null if input exceeds maxInputLength to prevent ReDoS attacks. * * @param pattern - RegExp to match with * @param input - String to match against * @param options - Safety options including maxInputLength * @returns Match result array, or null if input is too long or no match * * @example * ```typescript * const matches = safeMatch(/(\d+)/, userInput, { maxInputLength: 5000 }); * ``` */ export declare function safeMatch(pattern: RegExp, input: string, options?: SafeRegexOptions): RegExpMatchArray | null; /** * Execute regex replace() with input length protection. * * Returns original input unchanged if it exceeds maxInputLength to prevent ReDoS attacks. * * @param input - String to perform replacement on * @param pattern - RegExp pattern to match * @param replacement - Replacement string or function * @param options - Safety options including maxInputLength * @returns Replaced string, or original input if too long * * @example * ```typescript * const result = safeReplace(userInput, /foo/g, 'bar', { maxInputLength: 10000 }); * ``` */ export declare function safeReplace(input: string, pattern: RegExp, replacement: string | ((match: string, ...args: unknown[]) => string), options?: SafeRegexOptions): string; /** * Execute regex exec() with input length protection. * * Returns null if input exceeds maxInputLength to prevent ReDoS attacks. * * @param pattern - RegExp to execute * @param input - String to execute against * @param options - Safety options including maxInputLength * @returns Exec result array, or null if input is too long or no match * * @example * ```typescript * const result = safeExec(/(\w+)/, userInput, { maxInputLength: 10000 }); * ``` */ export declare function safeExec(pattern: RegExp, input: string, options?: SafeRegexOptions): RegExpExecArray | null; /** * Check if input length is within safe limits for regex operations. * * @param input - String to check * @param maxLength - Maximum allowed length * @returns true if input is within limits */ export declare function isInputLengthSafe(input: string, maxLength?: number): boolean; export { REDOS_THRESHOLDS };