I was researching typed input types the other day and noticed that there was a RegExp typed input type. This is documented yet does not appear to be widely used within the node-RED typed inputs.
Just wondering when it was introduced and if there is any reason for it not being used?
I also did some research into ReDos (regular Expression Denial of Service) which was interesting. Under certain circumstances i.e. back referencing it is possible to induce prolonged timeouts to the extent where the node-red editor was unavailable i.e. server not responsive.
I believe this is due to the event loop blocking nature of Regular expression checks.
OWASP state that some Regexps are 'Evil' yet at the same time this is a potential 'Evil' as it requires a string of a certain format to induce d-o-s.
Regex validation was researched redos detectors etc and the RE2 library as well. The makers of RE2 figure that inputs are 'Evil' and that regexps vulnerable. On validation RE2 will reject regexps that allow for back tracking and look-ahead assertions.
This in a way reminded me of Philip Zimbardo and the Lucifer Effect. Did Evil regexps create evil inputs
I timed a change node testing strings of 20 to 30 'a' characters followed by a bang aaaaaaaaaaaaaaaaaaaa! against regex (a|a?)+$ on a Raspberry Pi zero 2 (RHS) and Pi 4 (LHS):
Processing the regex consumed 100% of one CPU but it did not use all the memory, and the Pies did not throttle. I could still log in over ssh but the editor window was unresponsive and systemctl restart node-red did not interrupt the processing.
I wonder if this would make a useful component of a Node-red benchmark.
I don't know when it was introduced to be honest. However, not many people actually know how to use regex's so I don't think there is anything specifically against its use, just that not many people think about it. You can, of course also use them both in JSONata and in function nodes.
Typed inputs are relatively "new" in node-red (at least for those of us around since the early days )
They are quite complex themselves to programme correctly for node developers which possibly limits their use.
I think that is why reDos exists as a threat. It is too easy to ask an AI assistant (without specifying a need for redos safe regexps) or for regexps to be copied from web pages for use in node.
This is useful redos-detector can be used in node to validate regexps prior to use.
)