Security Scan Warning: Dynamic Regular Expressions Triggering eslint.detect-non-literal-regexp #2107
Description
Summary
Our IT Applications Security team security scan flagged multiple instances of dynamic regular expression creation in utils.js within the intl-tel-input library. The rule triggered is eslint.detect-non-literal-regexp, which warns about potential risks when regex patterns are constructed dynamically.
Details
- File:
js/utils.js - Rule:
eslint.detect-non-literal-regexp - Severity: Medium (per our SAST tool)
Why This Matters
Dynamic regex creation can pose a security risk if user controlled input is passed directly into RegExp(). While in this library the patterns appear to be internally generated, security tools flag this as a best practice violation.
ScreenShots
Expected Behavior
Static analysis tools recommend using literal regex patterns or sanitizing input before constructing regex dynamically.
Suggested Actions
- Confirm that all dynamic regex values are from trusted sources.
- Consider adding input sanitization or escaping logic if any user input can reach these regex constructors.
- Optionally, document why dynamic regex is safe in this context to help downstream consumers pass security audits.
Additional Context
This issue was flagged during a SAST scan in an enterprise environment. We are not requesting immediate code changes but would appreciate:
- Maintainer confirmation that this is safe.
- Any guidance or best practices for consumers of the library.
Thank you for maintaining this library