Resafe

Lightweight package to detect unsafe regex patterns and prevent ReDoS.

What is Resafe?

Resafe is a mathematical ReDoS detection engine that uses Thompson NFA construction, epsilon transition elimination, and spectral radius analysis to detect exponential backtracking vulnerabilities. By analyzing the automaton's adjacency matrix eigenvalues, Resafe determines if a regex has exponential growth patterns without executing test strings.

Features

- Pure Mathematical Analysis: Thompson NFA construction with spectral radius computation
- Deterministic Detection: Analyzes automaton structure, not pattern matching heuristics
- Spectral Radius: Detects exponential growth when eigenvalue > 1.0
- Fast Analysis: Average analysis time <1ms per pattern

Installation

``bash Using Bun bun add resafe `

`bash Using NPM npm install resafe `

`bash Using Yarn yarn add resafe `

Basic Usage

Simple pattern check

`ts import { check } from "resafe"; check(/([a-zA-Z0-9]+)*$/); `

Production-safe pattern validation

`ts import { check } from "resafe"; const safeRegex = check("^[0-9]+$", { throwErr: true, silent: true }); `

Custom threshold configuration

`ts import { check } from "resafe"; check("a+a+", { threshold: 1.5 }); ``

Why Resafe?

Regular expressions are powerful but can be a security bottleneck. A single poorly crafted regex can freeze a Node.js/Bun event loop. Resafe helps you:
1. Educate: Developers learn why a regex is bad through the "Solution" hints.
2. Automate: Run checks during CI/CD to catch ReDoS early.
3. Secure: Stop malicious or accidental "Catastrophic Backtracking" patterns.

License

MIT © ofabiodev