1

To detect all IP in the 127.0.0.1/8 network , I'm using this common regular expression:

/^127(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$/

Job is done, but codacy via es-lint is detecting this regexp as unsafe.

I already read this blog, this stackoverflow question, but I'm not fluent with regexp and I don't understand all explanations.

I tried to add [^,\r\n] in a lot of positions but it doesn't work.

Here is a tools to test the regexp: https://regex101.com/r/YbYrcd/1

Here is my javascript code detected as unsafe regexp by eslint:

window.location.hostname.match(
  /^127(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$/
)

How to transform the above regular expression to a safer one which is complient with eslint?

Alexandre Tranchant
  • 4,426
  • 4
  • 43
  • 70
  • 2
    Do you have a very good reason to use a regex in the first place? – RobIII Aug 21 '18 at 09:20
  • 1
    This regex is safe. Do not believe what es-lint tells you. If you just want to get rid of the warning, unwrap the quantified group, see https://regex101.com/r/YbYrcd/2. – Wiktor Stribiżew Aug 21 '18 at 09:21
  • Probably word *unsafe* refers to a different definition in this context. Your regex is totally fine. – revo Aug 21 '18 at 09:22
  • I see the one https://regex101.com/r/YbYrcd/1 is not matching ```127.0.0.1```. So it's probably unsafe. @WiktorStribiżew has given a more safer regex – Haseeb Jehanzeb Aug 21 '18 at 09:25
  • `Here is a tools to test the regexp` - you're missing a `.` in that - see https://regex101.com/r/YbYrcd/3 – Jaromanda X Aug 21 '18 at 09:28
  • I'm rather wondering what sort of hardware you have which can support 17 million hosts on the loopback network. It would have been helpful if you'd supplied a description of how exacting the match needs to be - parsing binary numbers represented in ASCII decimals using regular expressions is not trivial. – symcbean Aug 21 '18 at 09:37
  • @Robill : This code is generated by reactjs in the `registerServiceWorker.js` file when dev team creates a new reactjs project. Final clients want to have a "A" score application. So I am trying to pull a request to update this regexp on reactjs project. – Alexandre Tranchant Aug 21 '18 at 09:55
  • @WiktorStribiżew : Yes it seems to me that regexp was already safe, but you know how final clients react with security indicators... Your update rid of the warning. Thanks a lot. Do you want to post your answer? So, I will accept it. – Alexandre Tranchant Aug 21 '18 at 09:58
  • @user202729 : Yes, it should be "detecting this regex as unsafe". Post is edited. – Alexandre Tranchant Aug 21 '18 at 10:01

1 Answers1

1

Eslint produces a warning because your regex contains a quantified group containing alternation operators and quantifiers inside. In reality, since the limiting quantifier only "repeats" the pattern three times, the pattern is rather safe, but Eslint cannot deduce that.

To get rid of the warning, unwrap/unroll the quantified group (=repeat the . + octet pattern three times):

/^127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/

See the regex demo

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563