ajv-validator · efebarlas · Jul 9, 2021 · Jul 9, 2021 · Jul 9, 2021 · Jul 9, 2021
diff --git a/docs/options.md b/docs/options.md
@@ -69,6 +69,7 @@ const defaultOptions = {
     source: false,
     process: undefined, // (code: string) => string
     optimize: true,
+    regExp: RegExp
   },
 }
 ```
@@ -361,6 +362,11 @@ type CodeOptions = {
   // Code snippet created with `_` tagged template literal that contains all format definitions,
   // it can be the code of actual definitions or `require` call:
   // _`require("./my-formats")`
+  regExp: RegExpEngine
+  // Developers looking for a ReDoS mitigation may wish to use a DFA regex engine,
+  // such as node-re2. During validation of a schema, code.regExp will be 
+  // used to match strings against regexes. The supplied object must support 
+  // the interface: regExp(regex, unicodeFlag).test(string) => boolean
 }
 
 type Source = {

diff --git a/lib/core.ts b/lib/core.ts
@@ -61,7 +61,7 @@ import {getJSONTypes} from "./compile/validate/dataType"
 import {eachItem} from "./compile/util"
 
 import * as $dataRefSchema from "./refs/data.json"
-
+import DefaultRegExp from "./runtime/regexp"
 const META_IGNORE_OPTIONS: (keyof Options)[] = ["removeAdditional", "useDefaults", "coerceTypes"]
 const EXT_SCOPE_NAMES = new Set([
   "validate",
@@ -134,16 +134,24 @@ export interface CurrentOptions {
   code?: CodeOptions // NEW
 }
 
+type RegExpEngine = (pattern: string, u: string) => RegExpLike
+
+export interface RegExpLike {
+  test: (s: string) => boolean
+}
+
 export interface CodeOptions {
   es5?: boolean
   lines?: boolean
   optimize?: boolean | number
   formats?: Code // code to require (or construct) map of available formats - for standalone code
   source?: boolean
   process?: (code: string, schema?: SchemaEnv) => string
+  regExp?: RegExpEngine & {code: string} // add type
 }
 
 interface InstanceCodeOptions extends CodeOptions {
+  regExp: RegExpEngine & {code: string}
   optimize: number
 }
 
@@ -231,13 +239,15 @@ function requiredOptions(o: Options): RequiredInstanceOptions {
   const s = o.strict
   const _optz = o.code?.optimize
   const optimize = _optz === true || _optz === undefined ? 1 : _optz || 0
+  const _regExp = o.code?.regExp
+  const regExp = _regExp ?? DefaultRegExp
   return {
     strictSchema: o.strictSchema ?? s ?? true,
     strictNumbers: o.strictNumbers ?? s ?? true,
     strictTypes: o.strictTypes ?? s ?? "log",
     strictTuples: o.strictTuples ?? s ?? "log",
     strictRequired: o.strictRequired ?? s ?? false,
-    code: o.code ? {...o.code, optimize} : {optimize},
+    code: o.code ? {...o.code, optimize, regExp} : {optimize, regExp},
     loopRequired: o.loopRequired ?? MAX_EXPRESSION,
     loopEnum: o.loopEnum ?? MAX_EXPRESSION,
     meta: o.meta ?? true,
@@ -278,7 +288,9 @@ export default class Ajv {
 
   constructor(opts: Options = {}) {
     opts = this.opts = {...opts, ...requiredOptions(opts)}
-    const {es5, lines} = this.opts.code
+    const {es5, lines, regExp} = this.opts.code
+    this.opts.code.regExp = regExp ?? DefaultRegExp
+
     this.scope = new ValueScope({scope: {}, prefixes: EXT_SCOPE_NAMES, es5, lines})
     this.logger = getLogger(opts.logger)
     const formatOpt = opts.validateFormats

diff --git a/lib/runtime/re2.ts b/lib/runtime/re2.ts
@@ -0,0 +1,11 @@
+import * as re2 from "re2"
+
+// interface RegExpLike {
+//    test: (s: string) => boolean
+// }
+// type RegExpEngine = (pattern: string, u: string) => RegExpLike
+
+type Re2 = typeof re2 & {code: string}
+;(re2 as Re2).code = 'require("ajv/dist/runtime/re2").default'
+
+export default re2 as Re2
diff --git a/lib/runtime/regexp.ts b/lib/runtime/regexp.ts
@@ -0,0 +1,10 @@
+const defaultRegExp = RegExp
+
+//interface RegExpLike {
+//    test: (s: string) => boolean
+//}
+//type RegExpEngine = (pattern: string, u: string) => RegExpLike
+type RegExpImport = RegExpConstructor & {code: string}
+;(defaultRegExp as RegExpImport).code = 'require("ajv/dist/runtime/regexp").default' // TODO: change type
+
+export default defaultRegExp as RegExpImport // TODO: change type
diff --git a/lib/vocabularies/code.ts b/lib/vocabularies/code.ts
@@ -4,7 +4,7 @@ import type {KeywordCxt} from "../compile/validate"
 import {CodeGen, _, and, or, not, nil, strConcat, getProperty, Code, Name} from "../compile/codegen"
 import {alwaysValidSchema, Type} from "../compile/util"
 import N from "../compile/names"
-
+import {useFunc} from "../compile/util"
 export function checkReportMissingProp(cxt: KeywordCxt, prop: string): void {
   const {gen, data, it} = cxt
   gen.if(noPropertyInData(gen, data, prop, it.opts.ownProperties), () => {
@@ -92,10 +92,12 @@ export function callValidateCode(
 
 export function usePattern({gen, it: {opts}}: KeywordCxt, pattern: string): Name {
   const u = opts.unicodeRegExp ? "u" : ""
+  const {regExp} = opts.code
+
   return gen.scopeValue("pattern", {
     key: pattern,
-    ref: new RegExp(pattern, u),
-    code: _`new RegExp(${pattern}, ${u})`,
+    ref: regExp(pattern, u),
+    code: _`${useFunc(gen, regExp)}(${pattern}, ${u})`,
   })
 }
 

diff --git a/package.json b/package.json
@@ -95,6 +95,7 @@
     "node-fetch": "^3.0.0",
     "nyc": "^15.0.0",
     "prettier": "^2.3.1",
+    "re2": "^1.16.0",
     "rollup": "^2.44.0",
     "rollup-plugin-terser": "^7.0.2",
     "ts-node": "^10.0.0",

diff --git a/spec/issues/1683_re2_engine.spec.ts b/spec/issues/1683_re2_engine.spec.ts
@@ -0,0 +1,33 @@
+import getAjvAllInstances from "../ajv_all_instances"
+import {withStandalone} from "../ajv_standalone"
+import {_} from "../../dist/compile/codegen/code"
+import jsonSchemaTest = require("json-schema-test")
+import options from "../ajv_options"
+import {afterError, afterEach} from "../after_test"
+import chai from "../chai"
+import re2 from "../../dist/runtime/re2"
+
+const instances = getAjvAllInstances(options, {
+  $data: true,
+  formats: {allowedUnknown: true},
+  strictTypes: false,
+  strictTuples: false,
+})
+
+instances.forEach((ajv) => {
+  ajv.opts.code.source = true
+  ajv.opts.code.formats = _`{allowedUnknown: true}`
+  ajv.opts.code.regExp = re2
+})
+
+jsonSchemaTest(withStandalone(instances), {
+  description:
+    "Extra keywords schemas tests of " + instances.length + " ajv instances with different options",
+  suites: {extras: require("./pattern")},
+  assert: chai.assert,
+  afterError,
+  afterEach,
+  cwd: __dirname,
+  hideFolder: "extras/",
+  timeout: 90000,
+})
diff --git a/spec/issues/pattern.js b/spec/issues/pattern.js
@@ -0,0 +1,4 @@
+module.exports = [
+  {name: "$data/format", test: require("../extras/$data/format.json")},
+  {name: "$data/pattern", test: require("../extras/$data/pattern.json")},
+]