feat(input_schema): Validate regexp patterns (#553)

Solves apify/apify-core#23455:

For patterns in `pattern` (string) and `patternKey` an `patternValue`
(object and array) do:

- check if the regex can be compiled (`new RegExp(pattern)`)
- check if the regex is save using the
[safe-regex](https://www.npmjs.com/package/safe-regex) package
> WARNING: This module has both false positives and false negatives. Use
[vuln-regex-detector](https://github.com/davisjam/vuln-regex-detector)
for improved accuracy.

^ I think we can live with that? 🤔 (The `vuln-regex-detector` is more
complex and query remote server instead of tatic analysis / heuristics)

The heuristic used in `safe-regex` is quite easy to understand:
https://github.com/davisjam/safe-regex/blob/master/src/heuristic-analyzer.js:

### Star height > 1

> What is Star Height? It’s the maximum nesting depth of repetition
operators (*, +, {m,n}) in the regex.
>
>For example:
>
>- `a*` → star height = 1
> `(a*)*` → star height = 2
> `((a+)+)*` → star height = 3
>
>Why this matters:
>
>Nested quantifiers like `(a+)+` or `(a|aa)+` are classic ReDoS
patterns.
>When regex engines try to match them against long strings, they can
backtrack exponentially.

### Number of repetitions exceeds a threshold
> Threshold is set to 25, can be customized. 
> This checks how many total quantifiers (`*`, `+`, `{m,n}`) appear in
the regex.
> If the total count exceeds a configurable limit
(this.options.heuristic_replimit), it’s flagged as risky.
>
> This heuristic is much weaker — many safe regexes can have multiple
quantifiers — but it helps detect suspiciously repetitive patterns.

Author: mfori

package-lock.json

@@ -52,9 +52,13 @@
         "@apify/input_secrets": "^1.2.9",
         "@apify/json_schemas": "^0.5.1",
         "acorn-loose": "^8.4.0",
-        "countries-list": "^3.0.0"
+        "countries-list": "^3.0.0",
+        "safe-regex": "^2.1.1"
     },
     "peerDependencies": {
         "ajv": "^8.0.0"
+    },
+    "devDependencies": {
+        "@types/safe-regex": "^1.1.6"
     }
 }

packages/input_schema/package.json

@@ -5,13 +5,15 @@ import { inputSchema as schema } from '@apify/json_schemas';
 
 import { m } from './intl';
 import type {
+    ArrayFieldDefinition,
     CommonResourceFieldDefinition,
     FieldDefinition,
     InputSchema,
     InputSchemaBaseChecked,
+    ObjectFieldDefinition,
     StringFieldDefinition,
 } from './types';
-import { ensureAjvSupportsDraft2019 } from './utilities';
+import { ensureAjvSupportsDraft2019, validateRegexpPattern } from './utilities';
 
 export { schema as inputSchema };
 
@@ -131,7 +133,12 @@ function validateBasicStructure(validator: Ajv, obj: Record<string, unknown>): a
  * @param fieldKey Key of the field in the input schema.
  * @param isSubField If true, the field is a sub-field of another field, so we need to skip some definitions.
  */
-function validateField(validator: Ajv, fieldSchema: Record<string, unknown>, fieldKey: string, isSubField = false): asserts fieldSchema is FieldDefinition {
+function validateFieldAgainstSchemaDefinition(
+    validator: Ajv,
+    fieldSchema: Record<string, unknown>,
+    fieldKey: string,
+    isSubField = false,
+): asserts fieldSchema is FieldDefinition {
     const relevantDefinitions = isSubField ? subFieldDefinitions : fieldDefinitions;
 
     const matchingDefinitions = Object
@@ -188,6 +195,26 @@ function validateField(validator: Ajv, fieldSchema: Record<string, unknown>, fie
     validateAgainstSchemaOrThrow(validator, fieldSchema, enhanceDefinition(definition), `schema.properties.${fieldKey}`);
 }
 
+/**
+ * Validates particular field against it's schema and other rules (like regex patterns).
+ * @param validator An instance of AJV validator (must support draft 2019-09).
+ * @param fieldSchema Schema of the field to validate.
+ * @param fieldKey Key of the field in the input schema.
+ * @param isSubField If true, the field is a sub-field of another field, so we need to skip some definitions.
+ */
+function validateField(validator: Ajv, fieldSchema: Record<string, unknown>, fieldKey: string, isSubField = false): asserts fieldSchema is FieldDefinition {
+    // Validate against schema definition first.
+    validateFieldAgainstSchemaDefinition(validator, fieldSchema, fieldKey, isSubField);
+
+    // Validate regex patterns if defined.
+    const { pattern } = fieldSchema as Partial<StringFieldDefinition>;
+    const { patternKey, patternValue } = fieldSchema as Partial<ObjectFieldDefinition & ArrayFieldDefinition>;
+
+    if (pattern) validateRegexpPattern(pattern, `${fieldKey}.pattern`);
+    if (patternKey) validateRegexpPattern(patternKey, `${fieldKey}.patternKey`);
+    if (patternValue) validateRegexpPattern(patternValue, `${fieldKey}.patternValue`);
+}
+
 /**
  * Validates all subfields (and their subfields) of a given field schema.
  */

packages/input_schema/src/input_schema.ts

@@ -35,6 +35,10 @@ const intlStrings = {
         'Field {rootName}.{fieldKey}.apifyProxyGroups must be an array of strings.',
     'inputSchema.validation.secretFieldSchemaChanged':
         'The field schema.properties.{fieldKey} is a secret field, but its schema has changed. Please update the value in the input editor.',
+    'inputSchema.validation.regexpNotValid':
+        'The regular expression "{pattern}" in field schema.properties.{fieldKey} must be valid.',
+    'inputSchema.validation.regexpNotSafe':
+        'The regular expression "{pattern}" in field schema.properties.{fieldKey} may cause excessive backtracking or be unsafe to execute.',
 };
 
 /**

packages/input_schema/src/intl.ts

@@ -2,6 +2,7 @@ import { parse } from 'acorn-loose';
 import type { ValidateFunction } from 'ajv';
 import type Ajv from 'ajv/dist/2019';
 import { countries } from 'countries-list';
+import safe from 'safe-regex';
 
 import { PROXY_URL_REGEX, URL_REGEX } from '@apify/consts';
 import { isEncryptedValueForFieldSchema, isEncryptedValueForFieldType } from '@apify/input_secrets';
@@ -361,3 +362,26 @@ export function ensureAjvSupportsDraft2019(ajvInstance: Ajv) {
         );
     }
 }
+
+/**
+ * Validates that the provided pattern is a valid and safe regular expression.
+ * @param pattern The regular expression pattern to validate.
+ * @param fieldKey The field key where the pattern is used (for error messages).
+ */
+export function validateRegexpPattern(pattern: string, fieldKey: string) {
+    let regex: RegExp;
+
+    try {
+        // Validate that the pattern is a valid regular expression
+        regex = new RegExp(pattern);
+    } catch {
+        const message = m('inputSchema.validation.regexpNotValid', { pattern, fieldKey });
+        throw new Error(`Input schema is not valid (${message})`);
+    }
+
+    // Check if the regex is safe (to avoid ReDoS attacks)
+    if (!safe(regex)) {
+        const message = m('inputSchema.validation.regexpNotSafe', { pattern, fieldKey });
+        throw new Error(`Input schema is not valid (${message})`);
+    }
+}

packages/input_schema/src/utilities.ts

@@ -922,5 +922,150 @@ describe('input_schema.json', () => {
                 });
             });
         });
+
+        describe('validate pattern regexps', () => {
+            it('should accept valid regexp', () => {
+                const schema = {
+                    title: 'Test input schema',
+                    type: 'object',
+                    schemaVersion: 1,
+                    properties: {
+                        myField: {
+                            title: 'Field title',
+                            type: 'string',
+                            description: 'Some description ...',
+                            editor: 'textfield',
+                            pattern: '^[A-Z]{3}$',
+                        },
+                        objectField: {
+                            title: 'Object field',
+                            type: 'object',
+                            description: 'Some description ...',
+                            editor: 'json',
+                            patternKey: '^[a-z]+$',
+                            patternValue: '^[0-9]+$',
+                        },
+                        arrayField: {
+                            title: 'Array field',
+                            type: 'array',
+                            description: 'Some description ...',
+                            editor: 'json',
+                            patternKey: '^[a-z]+$',
+                            patternValue: '^[0-9]+$',
+                        },
+                    },
+                };
+
+                expect(() => validateInputSchema(validator, schema)).not.toThrow();
+            });
+
+            it('should throw error on invalid pattern regexp', () => {
+                const schema = {
+                    title: 'Test input schema',
+                    type: 'object',
+                    schemaVersion: 1,
+                    properties: {
+                        myField: {
+                            title: 'Field title',
+                            type: 'string',
+                            description: 'Some description ...',
+                            editor: 'textfield',
+                            pattern: '[A-Z{3}', // invalid regexp
+                        },
+                    },
+                };
+
+                expect(() => validateInputSchema(validator, schema)).toThrow(
+                    'Input schema is not valid (The regular expression "[A-Z{3}" in field schema.properties.myField.pattern must be valid.)',
+                );
+            });
+
+            it('should throw error on invalid patternKey regexp', () => {
+                const schema = {
+                    title: 'Test input schema',
+                    type: 'object',
+                    schemaVersion: 1,
+                    properties: {
+                        objectField: {
+                            title: 'Object field',
+                            type: 'object',
+                            description: 'Some description ...',
+                            editor: 'json',
+                            patternKey: '[a-z+$', // invalid regexp
+                            patternValue: '^[0-9]+$',
+                        },
+                    },
+                };
+
+                expect(() => validateInputSchema(validator, schema)).toThrow(
+                    'Input schema is not valid (The regular expression "[a-z+$" in field schema.properties.objectField.patternKey must be valid.)',
+                );
+            });
+
+            it('should throw error on invalid patternValue regexp', () => {
+                const schema = {
+                    title: 'Test input schema',
+                    type: 'object',
+                    schemaVersion: 1,
+                    properties: {
+                        objectField: {
+                            title: 'Object field',
+                            type: 'object',
+                            description: 'Some description ...',
+                            editor: 'json',
+                            patternKey: '^[a-z]+$',
+                            patternValue: '^[0-9+$', // invalid regexp
+                        },
+                    },
+                };
+
+                expect(() => validateInputSchema(validator, schema)).toThrow(
+                    'Input schema is not valid (The regular expression "^[0-9+$" in field schema.properties.objectField.patternValue must be valid.)',
+                );
+            });
+
+            it('should throw error on not safe regexp', () => {
+                const invalidRegexps = [
+                    '(a+)+$',
+                    '^(a|a?)+$',
+                    '^(a|a*)+$',
+                    '^(a|a+)+$',
+                    '^(a?)+$',
+                    '^(a*)+$',
+                    '^(a+)*$',
+                    '^(a|aa?)+$',
+                    '^(a|aa*)+$',
+                    '^(a|a+)*$',
+                    '^(a|a?)*$',
+                    '^(a|a*)*$',
+                    '^(a?)*$',
+                    '^(a*)*$',
+                    '^(a+)?$',
+                    '^(a*)?$',
+                    'a*b*c*d*e*f*g*h*i*j*k*l*m*n*o*p*q*r*s*t*u*v*w*x*y*z*',
+                ];
+
+                for (const pattern of invalidRegexps) {
+                    const schema = {
+                        title: 'Test input schema',
+                        type: 'object',
+                        schemaVersion: 1,
+                        properties: {
+                            myField: {
+                                title: 'Field title',
+                                type: 'string',
+                                description: 'Some description ...',
+                                editor: 'textfield',
+                                pattern,
+                            },
+                        },
+                    };
+
+                    expect(() => validateInputSchema(validator, schema)).toThrow(
+                        `Input schema is not valid (The regular expression "${pattern}" in field schema.properties.myField.pattern may cause excessive backtracking or be unsafe to execute.)`,
+                    );
+                }
+            });
+        });
     });
 });