ast/redos-dynamic-regexp-user-input
ReDoS: RegExp constructed from user-controlled string
What it detects
`new RegExp(<user input>)` (or `RegExp(<user input>)`) compiles a regex pattern under attacker control. Crafted nested quantifiers like `(a+)+$` cause catastrophic backtracking that hangs the Node event loop, denying service to other requests on the same instance. On serverless this also burns billed CPU. Either accept only an allow-list of patterns, escape the input to treat it as a literal (replace special chars), or wrap the .match/.test call with a timeout (e.g. via worker thread).
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.