I'm using a uuid package which can validate if string is a UUID.
I'm afraid of ReDOS attacks. Is this regex exposed to ReDOS attacks? maybe other attacks I don't think about?
/^(?:[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}|00000000-0000-0000-0000-000000000000)$/i
Currently I slice the string before pass it to the function, but it's cumbersome and less readable:
const _ = require('lodash');
flow(s => s.slice(0, 36), console.log)('uuid')
The OWASP article you linked has your answer. A pattern is considered "Evil" (vulnerable to a ReDOS attack) if it contains repetition inside a repeated group.
Evil Regexes
A Regex is called “evil” if it can stuck on crafted input.
Evil Regex pattern contains:
- Grouping with repetition
- Inside the repeated group:
- Repetition
- Alternation with overlapping
Your pattern does not have grouping inside of repetition so it is not vulnerable. That said, if you know you expect a UUID inside the first 36 characters of the string you are searching, there is an efficiency benefit to trimming the string before you attempt to match. I don't know if the splice is hard enough to read to warrant the extra time searching your string, you'll have to judge that for yourself.