fix(input_schema): Remove safe regex check (#558)

mfori · web-flow · commit 4a92fccbf87d · 2025-10-28T18:08:54.000+01:00
The used package for malicious regex detection (`safe-regex`) produces lot of false-positives, so this PR now removes the check completely and I will figure out what next later. Reported here: https://apify.slack.com/archives/C0L33UM7Z/p1761580328353969
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/input_schema/package.json b/packages/input_schema/package.json
@@ -52,8 +52,7 @@
         "@apify/input_secrets": "^1.2.11",
         "@apify/json_schemas": "^0.7.0",
         "acorn-loose": "^8.4.0",
-        "countries-list": "^3.0.0",
-        "safe-regex": "^2.1.1"
+        "countries-list": "^3.0.0"
     },
     "peerDependencies": {
         "ajv": "^8.0.0"
diff --git a/packages/input_schema/src/utilities.ts b/packages/input_schema/src/utilities.ts
@@ -2,7 +2,6 @@ import { parse } from 'acorn-loose';
 import type { ValidateFunction } from 'ajv';
 import type Ajv from 'ajv/dist/2019';
 import { countries } from 'countries-list';
-import safe from 'safe-regex';
 
 import { PROXY_URL_REGEX, URL_REGEX } from '@apify/consts';
 import { isEncryptedValueForFieldSchema, isEncryptedValueForFieldType } from '@apify/input_secrets';
@@ -369,19 +368,19 @@ export function ensureAjvSupportsDraft2019(ajvInstance: Ajv) {
  * @param fieldKey The field key where the pattern is used (for error messages).
  */
 export function validateRegexpPattern(pattern: string, fieldKey: string) {
-    let regex: RegExp;
-
     try {
         // Validate that the pattern is a valid regular expression
-        regex = new RegExp(pattern);
+        // eslint-disable-next-line
+        new RegExp(pattern);
     } catch {
         const message = m('inputSchema.validation.regexpNotValid', { pattern, fieldKey });
         throw new Error(`Input schema is not valid (${message})`);
     }
 
+    // TODO: add check for safe regex but figure out how to avoid false positives with some valid regexes
     // Check if the regex is safe (to avoid ReDoS attacks)
-    if (!safe(regex)) {
-        const message = m('inputSchema.validation.regexpNotSafe', { pattern, fieldKey });
-        throw new Error(`Input schema is not valid (${message})`);
-    }
+    // if (!safe(regex)) {
+    //     const message = m('inputSchema.validation.regexpNotSafe', { pattern, fieldKey });
+    //     throw new Error(`Input schema is not valid (${message})`);
+    // }
 }
diff --git a/test/input_schema.test.ts b/test/input_schema.test.ts
@@ -1066,49 +1066,6 @@ describe('input_schema.json', () => {
                     'Input schema is not valid (The regular expression "^[0-9+$" in field schema.properties.objectField.patternValue must be valid.)',
                 );
             });
-
-            it('should throw error on not safe regexp', () => {
-                const invalidRegexps = [
-                    '(a+)+$',
-                    '^(a|a?)+$',
-                    '^(a|a*)+$',
-                    '^(a|a+)+$',
-                    '^(a?)+$',
-                    '^(a*)+$',
-                    '^(a+)*$',
-                    '^(a|aa?)+$',
-                    '^(a|aa*)+$',
-                    '^(a|a+)*$',
-                    '^(a|a?)*$',
-                    '^(a|a*)*$',
-                    '^(a?)*$',
-                    '^(a*)*$',
-                    '^(a+)?$',
-                    '^(a*)?$',
-                    'a*b*c*d*e*f*g*h*i*j*k*l*m*n*o*p*q*r*s*t*u*v*w*x*y*z*',
-                ];
-
-                for (const pattern of invalidRegexps) {
-                    const schema = {
-                        title: 'Test input schema',
-                        type: 'object',
-                        schemaVersion: 1,
-                        properties: {
-                            myField: {
-                                title: 'Field title',
-                                type: 'string',
-                                description: 'Some description ...',
-                                editor: 'textfield',
-                                pattern,
-                            },
-                        },
-                    };
-
-                    expect(() => validateInputSchema(validator, schema)).toThrow(
-                        `Input schema is not valid (The regular expression "${pattern}" in field schema.properties.myField.pattern may cause excessive backtracking or be unsafe to execute.)`,
-                    );
-                }
-            });
         });
     });
 });
