CodeQL documentation
CodeQL resources

Duplicate character in character class

ID: js/regex/duplicate-in-character-class
Kind: problem
Security severity: 
Severity: warning
Precision: very-high
Tags:
   - quality
   - reliability
   - correctness
   - regular-expressions
Query suites:
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Character classes in regular expressions (denoted by square brackets []) represent sets of characters where the pattern matches any single character from that set. Since character classes are sets, specifying the same character multiple times is redundant and often indicates a programming error.

Common mistakes include:

  • Using square brackets [] instead of parentheses () for grouping alternatives

  • Misunderstanding that special regex characters like |, *, +, (), and - work differently when appearing inside a character class

  • Accidentally duplicating characters or escape sequences that represent the same character

Recommendation

Examine each duplicate character to determine the intended behavior:

  • If you see | inside square brackets (e.g., [a|b|c]): This is usually a mistake. The author likely intended alternation. Replace the character class with a group: (a|b|c)

  • If trying to match alternative strings, use parentheses () for grouping instead of square brackets

  • If the duplicate was truly accidental, remove the redundant characters

  • If trying to use special regex operators inside square brackets, note that most operators (like |) are treated as literal characters Note that simply removing | characters from character classes is rarely the correct fix. Instead, analyze the pattern to understand what the author intended to match.

Example

Example 1: Confusing character classes with groups

The pattern [password|pwd] does not match “password” or “pwd” as intended. Instead, it matches any single character from the set {p, a, s, w, o, r, d, |}. Note that | has no special meaning inside character classes.

if (/[password|pwd] =/.test(input))
	console.log("Found password!");

To fix this problem, the regular expression should be rewritten to /(password|pwd) =/.

Example 2: CSS unit matching

The pattern r?e[m|x] appears to be trying to match “rem” or “rex”, but actually matches “re” followed by any of the characters {m, |, x}. The correct pattern should be r?e(m|x) or r?e[mx].

Similarly, v[h|w|min|max] should be v(h|w|min|max) to properly match “vh”, “vw”, “vmin”, or “vmax”.

References

  • © GitHub, Inc.
  • Terms
  • Privacy
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy