Duplicate character in character class¶
ID: js/regex/duplicate-in-character-class
Kind: problem
Security severity:
Severity: warning
Precision: very-high
Tags:
- quality
- reliability
- correctness
- regular-expressions
Query suites:
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Character classes in regular expressions (denoted by square brackets []
) represent sets of characters where the pattern matches any single character from that set. Since character classes are sets, specifying the same character multiple times is redundant and often indicates a programming error.
Common mistakes include:
Using square brackets
[]
instead of parentheses()
for grouping alternativesMisunderstanding that special regex characters like
|
,*
,+
,()
, and-
work differently when appearing inside a character classAccidentally duplicating characters or escape sequences that represent the same character
Recommendation¶
Examine each duplicate character to determine the intended behavior:
If you see
|
inside square brackets (e.g.,[a|b|c]
): This is usually a mistake. The author likely intended alternation. Replace the character class with a group:(a|b|c)
If trying to match alternative strings, use parentheses
()
for grouping instead of square bracketsIf the duplicate was truly accidental, remove the redundant characters
If trying to use special regex operators inside square brackets, note that most operators (like
|
) are treated as literal characters Note that simply removing|
characters from character classes is rarely the correct fix. Instead, analyze the pattern to understand what the author intended to match.
Example¶
Example 1: Confusing character classes with groups
The pattern [password|pwd]
does not match “password” or “pwd” as intended. Instead, it matches any single character from the set {p, a, s, w, o, r, d, |}
. Note that |
has no special meaning inside character classes.
if (/[password|pwd] =/.test(input))
console.log("Found password!");
To fix this problem, the regular expression should be rewritten to /(password|pwd) =/
.
Example 2: CSS unit matching
The pattern r?e[m|x]
appears to be trying to match “rem” or “rex”, but actually matches “re” followed by any of the characters {m, |, x}
. The correct pattern should be r?e(m|x)
or r?e[mx]
.
Similarly, v[h|w|min|max]
should be v(h|w|min|max)
to properly match “vh”, “vw”, “vmin”, or “vmax”.
References¶
Mozilla Developer Network: JavaScript Regular Expressions.
MDN: Character Classes - Details on how character classes work.
MDN: Groups and Ranges - Proper use of grouping with parentheses.