add safeRegex query option

Author: seangarner

CHANGELOG.md

@@ -1,5 +1,10 @@
 # mongo-url-parser changelog
 
+## NEXT
+
+  - added `safeRegex` `query` option
+    + checks regex query operator values for regex which could be used as a DoS
+
 ## 1.4.0 (2017/11/22)
 
   - added support for `$not` query operator in combination with most operators

README.md

@@ -164,6 +164,21 @@ var options = {
 mongoUrlUtils({query: 'regex(email,"[email protected]",i)'}, options);
 ```
 
+#### regex safety checking
+The `regex` query operator can be dangerous allowing attackers to create an expensive expression.
+Set `safeRegex` to `true` to pass all regexes through [safe-regex](https://github.com/substack/safe-regex)
+and throw an error if an unsafe regex is sent.
+
+```js
+var options = {
+  query: {
+    safeRegex: true
+  }
+};
+mongoUrlUtils({query: 'regex(email,"(a+){10}y")'}, options);
+// throws Error
+```
+
 #### mongo types
 The `type()` query operator allows either integer identifiers as per the mongodb documentation.  For
 convinience it also maps the following types to their ids: `Double`, `String`, `Object`, `Array`,

package.json

@@ -28,7 +28,8 @@
   "author": "Sean Garner <[email protected]>",
   "license": "MIT",
   "dependencies": {
-    "is": "^3.0.1"
+    "is": "^3.0.1",
+    "safe-regex": "^1.1.0"
   },
   "devDependencies": {
     "in-publish": "^2.0.0",

src/query.pegjs

@@ -1,8 +1,11 @@
 {
+  const safeRegex = require('safe-regex');
+
   //TODO: disabled presets (e.g. mongo 2.2/2.6/3.0)
   //TODO: determine dependencies automatically
   if (!Array.isArray(options.disabledOperators)) options.disabledOperators = [];
   if (options.caseInsensitiveOperators === undefined) options.caseInsensitiveOperators = false;
+  if (options.safeRegex === undefined) options.safeRegex = false;
 
   function collect(head, tail) {
     var res = [head];
@@ -58,6 +61,12 @@
       throw new Error(dateTimeStr + ' is not a valid date time string');
     }
   }
+
+  function assertSafeRegex(regex) {
+    if (options.safeRegex && !safeRegex(regex)) {
+      throw new Error('regex not safe; too many repetitions or star height is above 1');
+    }
+  }
 }
 
 start
@@ -142,6 +151,7 @@ ArrayComparison
 Regex
   = "regex(" __ prop:Property __ "," __ pattern:String __ opts:("," __ [imxs]+ __)? ")" {
     assertCan('regex');
+    assertSafeRegex(pattern);
     if (opts) return set({}, prop, {$regex: pattern, $options: opts[2].join('')});
     return set({}, prop, {$regex: pattern});
   }

test/query.js

@@ -141,6 +141,18 @@ describe('query', () => {
   });
 
   describe('options', () => {
+    describe('safeRegex', () => {
+      it('should default to disabled', () => {
+        expect(query.bind(null, 'regex(email,"(a+){10}")')).to.not.throw();
+      });
+      it('should throw when an unsafe regex is used', () => {
+        expect(query.bind(null, 'regex(email,"(a+){10}")', {safeRegex:true})).to.throw('regex not safe');
+      });
+      it('should not throw when the regex is safe', () => {
+        expect(query.bind(null, 'regex(email,"(a){10}")', {safeRegex:true})).to.not.throw();
+      });
+    });
+
     describe('disabledOperators', () => {
       it('take an array of keywords to disable', () => {
         expect(query.bind(null, 'regex(email,".*\\\\.gmail\\\\.com")', {disabledOperators:['regex']}))