Hi all, I'm a PhD student at Virginia Tech. I'm working on a research project to detect vulnerable regexes.
I've developed a tool that queries an ensemble of catastrophic backtracking detectors (repo here <https://github.com/davisjam/vuln-regex-detector/>). Because the tool is expensive to run, I set up a server that maintains a database of previous queries and results. I created an npm module that asynchronously queries this server over HTTP (module here <https://www.npmjs.com/package/vuln-regex-detector>). I would like to create an eslint plugin to make it easy for developers to adopt it. The plugin I envision is similar to this one <https://www.npmjs.com/package/eslint-plugin-security#detect-unsafe-regex> that uses safe-regex <https://github.com/substack/safe-regex> (which, alas, has high rates of false positives and false negatives, and is incorrectly implemented <https://github.com/substack/safe-regex/pull/9> to boot). However, it looks from the eslint docs that eslint rules must be synchronous <https://eslint.org/docs/developer-guide/architecture#rules>. I couldn't find this discussed explicitly in the eslint issues or this mailing list; please forgive me if I missed a discussion about this somewhere. I am interested in thoughts on: - Whether there's any point in making *synchronous* HTTP requests? (I suspect this would lead to terrible linter performance) - Whether there's a way to make an asynchronous eslint rule? - If eslint is not a good way to do this, can anyone recommend an alternative approach? Thank you, Jamie -- You received this message because you are subscribed to the Google Groups "ESLint" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
