The `no-unsafe-regex` rule is annoying #153

// @bdougherty

The safe-regex module also seems unmaintained, so not a great start.

For this plugin to be useful it needs to pinpoint exactly where in the regex the problem lies, and suggest how it could be fixed, ideally with --fix support.

It could maybe use regexp-tree.

Based on what I was reading about the regexes that it's looking for (primarily http://www.regular-expressions.info/catastrophic.html), I'm not sure that there is an automated way to fix them.

But I agree that it should give some indication of what the issue is, I'm just not sure how to do that exactly. I'll mess around with it and see if I can come up with anything.

@issuehunt has funded $60.00 to this issue.

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

Even a trivial regular expression like /\./, which should have a star height of 0, is enough to trip the rule. It's possible it's just an incompatibility with the u flag, though.

Arguably this regexp does not need u, but there is a good reason for using u on all regexps: it disables Annex B features.

safe-regex readme now says

WARNING: This module has both false positives and false negatives. Use vuln-regex-detector for improved accuracy.

Discussion on using this here: https://github.com/nodesecurity/eslint-plugin-security/issues/28

I wonder if it's possible for one eslint plugin to pull in just one rule from another plugin

Interestingly,

(( )?[0-9]){2}$ also raises the warning, (( )?[0-9])(( )?[0-9])$ does not. It seems to have to do with the repetition.

@sindresorhus has rewarded $54.00 to @fisker. See it on IssueHunt

• :moneybag: Total deposit: $60.00
• :tada: Repository reward(0%): $0.00
• :wrench: Service fee(10%): $6.00