ajv-validator
diff --git a/‎README.md‎
Lines changed: 7 additions & 1 deletion b/‎README.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎lib/ajv.d.ts‎
Lines changed: 5 additions & 0 deletions b/‎lib/ajv.d.ts‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎lib/compile/index.js‎
Lines changed: 8 additions & 6 deletions b/‎lib/compile/index.js‎
Lines changed: 8 additions & 6 deletions
diff --git a/‎lib/dot/pattern.jst‎
Lines changed: 15 additions & 4 deletions b/‎lib/dot/pattern.jst‎
Lines changed: 15 additions & 4 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 0 deletions b/‎package.json‎
Lines changed: 1 addition & 0 deletions
@@ -1215,7 +1215,8 @@ Defaults:
   sourceCode:       false,
   processCode:      undefined, // function (str: string, schema: object): string {}
   cache:            new Cache,
-  serialize:        undefined
+  serialize:        undefined,
+  regExp:           undefined // custom RegExp engine
 }
 ```
 
@@ -1329,6 +1330,11 @@ Defaults:
   - `transpile` that transpiled asynchronous validation function. You can still use `transpile` option with [ajv-async](https://github.com/ajv-validator/ajv-async) package. See [Asynchronous validation](#asynchronous-validation) for more information.
 - _cache_: an optional instance of cache to store compiled schemas using stable-stringified schema as a key. For example, set-associative cache [sacjs](https://github.com/epoberezkin/sacjs) can be used. If not passed then a simple hash is used which is good enough for the common use case (a limited number of statically defined schemas). Cache should have methods `put(key, value)`, `get(key)`, `del(key)` and `clear()`.
 - _serialize_: an optional function to serialize schema to cache key. Pass `false` to use schema itself as a key (e.g., if WeakMap used as a cache). By default [fast-json-stable-stringify](https://github.com/epoberezkin/fast-json-stable-stringify) is used.
+- _regExp_: an optional function to create RegExp objects. This allows using a custom RegExp engine (e.g., [RE2](https://github.com/uhop/node-re2)) to mitigate ReDoS attacks. The function must have the signature `(pattern: string) => RegExpLike` where `RegExpLike` is an object with a `test(string) => boolean` method. Example with RE2:
+  ```javascript
+  var ajv = new Ajv({regExp: require('re2')});
+  ```
+  By default (`undefined`), native `RegExp` constructor is used.
 
 
 ## Validation errors
 
@@ -203,6 +203,11 @@ declare namespace ajv {
     logger?: CustomLogger | false;
     nullable?: boolean;
     serialize?: ((schema: object | boolean) => any) | false;
+    regExp?: (pattern: string) => RegExpLike;
+  }
+
+  interface RegExpLike {
+    test: (s: string) => boolean;
   }
 
   type FormatValidator = string | RegExp | ((data: string) => boolean | PromiseLike<any>);
 
@@ -42,6 +42,11 @@ function compile(schema, root, localRefs, baseId) {
     , defaultsHash = {}
     , customRules = [];
 
+  function patternCode(i, patterns) {
+    var regExpCode = opts.regExp ? 'regExp' : 'new RegExp';
+    return 'var pattern' + i + ' = ' + regExpCode + '(' + util.toQuotedString(patterns[i]) + ');';
+  }
+
   root = root || { schema: schema, refVal: refVal, refs: refs };
 
   var c = checkCompiling.call(this, schema, root, baseId);
@@ -128,6 +133,7 @@ function compile(schema, root, localRefs, baseId) {
         'equal',
         'ucs2length',
         'ValidationError',
+        'regExp',
         sourceCode
       );
 
@@ -141,7 +147,8 @@ function compile(schema, root, localRefs, baseId) {
         customRules,
         equal,
         ucs2length,
-        ValidationError
+        ValidationError,
+        opts.regExp
       );
 
       refVal[0] = validate;
@@ -358,11 +365,6 @@ function compIndex(schema, root, baseId) {
 }
 
 
-function patternCode(i, patterns) {
-  return 'var pattern' + i + ' = new RegExp(' + util.toQuotedString(patterns[i]) + ');';
-}
-
-
 function defaultCode(i) {
   return 'var default' + i + ' = defaults[' + i + '];';
 }
 
@@ -4,11 +4,22 @@
 {{# def.$data }}
 
 {{
-  var $regexp = $isData
-                ? '(new RegExp(' + $schemaValue + '))'
-                : it.usePattern($schema);
+  var $regExpCode = it.opts.regExp ? 'regExp' : 'new RegExp';
 }}
 
-if ({{# def.$dataNotType:'string' }} !{{=$regexp}}.test({{=$data}}) ) {
+{{? $isData }}
+  var {{=$valid}} = true;
+  try {
+    {{=$valid}} = {{=$regExpCode}}({{=$schemaValue}}).test({{=$data}});
+  } catch(e) {
+    {{=$valid}} = false;
+  }
+  if ({{# def.$dataNotType:'string' }} !{{=$valid}}) {
+{{??}}
+  {{
+    var $regexp = it.usePattern($schema);
+  }}
+  if ({{# def.$dataNotType:'string' }} !{{=$regexp}}.test({{=$data}}) ) {
+{{?}}
   {{# def.error:'pattern' }}
 } {{? $breakOnError }} else { {{?}}
@@ -90,6 +90,7 @@
     "mocha": "^8.0.1",
     "nyc": "^15.0.0",
     "pre-commit": "^1.1.1",
+    "re2": "^1.21.4",
     "require-globify": "^1.3.0",
     "typescript": "^3.9.5",
     "uglify-js": "^3.6.9",