Option to use RE2 (defaults on native regex engine)

[efebarlas]

Signed-off-by: Efe Barlas ebarlas@purdue.edu

What issue does this pull request resolve?
#1683
What changes did you make?
-I added an option on using RE2 or the native regex engine. This option defaults on the native regex engine.
-I added a dependency to node-re2. The unpacked size of node-re2 is 1.26 MB, but I do not know the minified size.
-I changed the 'usePattern' function to read the option, and to try and compile the regex in RE2. If RE2 throws an error, the system produces a log message, and falls back to the native regex engine.
Is there anything that requires more attention while reviewing?
-I haven't added tests which demonstrates the correctness of regex validation when RE2 is used. I'm waiting for a green light from the maintainers of ajv to do so.
Answer to this comment:
-When RE2 is enabled, some test cases in json-schema-test fail, because RE2 and ECMA 262, section 15.10.1 differ in their definition of whitespace (JS includes \v, the other does not).

[davisjam]

Questions and notes:

• If RE2 is used as the default engine, does the test suite pass?
• If merged, updates should be made to the documentation on the AJV website that describes ReDoS concerns, to document this option.

[epoberezkin]

I am not terribly excited about the idea of making node-re2 the dependency... I understand the problem though.

A better approach could be to make an option regExp to pass a function that given a string returns an object that has the same methods as RegExp object; this option would default to (s) => opts.unicodeRegExp ? new RegExp(s, "u") : new RegExp(s). It would also simplify the code in usePattern a bit - opts.unicodeRegExp would only be checked only if regExp option is not passed and only at instance construction.

Some other comments in code

[epoberezkin]

it's probably incorrect to call it "engine", RE2 is an engine, this one is probably just "regExp" or something...

[epoberezkin]

this fallback would be just handled in the passed function

[epoberezkin]

@efebarlas thanks - getting there! Possibly, having re2.ts file might create the expectation that re2 doesn't have to be imported separately... I guess it can be all covered in the docs.

[epoberezkin]

Cool - looks good - I can finalise

[epoberezkin]

merged

[marcospassos]

@epoberezkin and @efebarlas, passing a custom engine will also affect the validation of format: 'regex', right? I couldn't find any information about this in the docs.

[efebarlas]

After some experimenting, I don't think the validation of format: 'regex' is affected by changing the engine, because it seems that regexes with features RE2 doesn't support, such as (?=.@.), pass validation when RE2 is used. I think with formats, we just use the default regex engine.

I might work on a patch for this at some point, but I'm unfortunately busy at the moment.

[epoberezkin]

Thank you!

[reed-lawrence]

What is the RegExtEngine.code field intended to be used with? The following code is currently throwing an error:

import Ajv from 'ajv';
import RE2 from 're2';

const ajv = new Ajv({ code: { regExp: RE2 } });

Property 'code' is missing in type 'RE2Constructor' but required in type 'RegExpEngine'.

[davisjam]

@reed-lawrence , can you clarify whether you are asking "What is the purpose of this feature?" or something else?

[reed-lawrence]

@davisjam Thanks for the reply.

I guess I am wondering if the declared interface is correct or how to reconcile that the code sample in the documentation for ReDoS attack mitigation does not build. What would be the proper integration of RE2 given the error posted in my prior comment?

Is the .code field required or optional? Given that the re2 library does not implement it. If the .code field is required, what is the proper implementation of an external regex engine such as re2