/** * Regex Validator - ReDoS Protection * * Validates regex patterns to prevent Regular Expression Denial of Service (ReDoS) attacks. * Detects dangerous patterns like nested quantifiers, excessive nesting, and other * complexity indicators that can cause catastrophic backtracking. * * Security Note: This is a defense-in-depth measure. Even with validation, * regex execution should have timeout protection (see regex-executor.ts). */ export interface RegexValidationOptions { /** * Maximum pattern length (default: 100 characters) * Longer patterns are more likely to be complex/malicious */ maxLength?: number; /** * Maximum nesting depth of groups (default: 3) * Deep nesting can indicate complexity */ maxNestingDepth?: number; /** * Allow backreferences like \1, \2 (default: false) * Backreferences can be slow and are rarely needed */ allowBackreferences?: boolean; /** * Allow lookaheads/lookbehinds (default: false) * These can be slow and are often unnecessary */ allowLookarounds?: boolean; } /** * Regex pattern validator with ReDoS protection */ export declare class RegexValidator { /** * Validate a regex pattern for safety * * @throws {SecurityError} if pattern is unsafe or too complex */ static validate(pattern: string, options?: RegexValidationOptions): void; /** * Detect nested quantifiers like (a+)+, (a*)*, etc. * This is the PRIMARY ReDoS vulnerability pattern. */ private static hasNestedQuantifiers; /** * Find other dangerous patterns */ private static findDangerousPattern; /** * Calculate maximum nesting depth of parentheses/groups */ private static getMaxNestingDepth; /** * Detect backreferences: \1, \2, etc. */ private static hasBackreferences; /** * Detect lookarounds: (?=, ?!, ?<=, ?