Skip to content
Stoma

regexThreatProtection

const regexThreatProtection: (config?) => Policy

Defined in: src/policies/traffic/regex-threat-protection.ts:96

Regex threat protection policy.

Scans request path, query string, headers, and/or body against configurable regex patterns. Throws a 400 GatewayError on first match.

Parameters

Section titled “Parameters”

config?

Section titled “config?”

RegexThreatProtectionConfig

Returns

Section titled “Returns”

Policy

Security

Section titled “Security”

User-provided regex patterns can cause catastrophic backtracking (ReDoS) if they contain nested quantifiers or overlapping alternations (e.g. (a+)+, (a|a)*b). A crafted input string can cause the regex engine to run in exponential time, blocking the worker thread and effectively denying service. All patterns should be reviewed for super-linear time complexity before deployment. Consider using atomic patterns, possessive quantifiers (where supported), or testing patterns with a ReDoS detection tool.

Example

Section titled “Example”
import { regexThreatProtection } from "@homegrower-club/stoma";


regexThreatProtection({
  patterns: [
    { regex: "(union|select|insert|delete|drop)\\s", targets: ["path", "query", "body"], message: "SQL injection detected" },
    { regex: "<script[^>]*>", targets: ["body", "headers"], message: "XSS detected" },
  ],
});