Missing anchors in validation regular expression

[nharraud]

Hi,
The ReDos example uses two regular expressions which are missing start and end anchors:

NodeGoat/app/routes/profile.js

Lines 58 to 59 in e2dffdb

	// const regexPattern = /([0-9]+)\#/;
	const regexPattern = /([0-9]+)+\#/;

These regular expressions accept values such as evil123#evil.

How about:
1/ fixing these two regular expressions like this:

        // const regexPattern = /^[0-9]+\#$/;
        const regexPattern = /^([0-9]+)+\#$/;

2/ adding another regular expression somewhere which creates a vulnerability due to the missing anchors. This would be a good opportunity to explain CWE-777: Regular Expression without Anchors, which is quite easy to miss in Javascript.

[CaduRoriz]

/assign