Switch to re2 for pattern validation

Standard RegExp is vulnerable to ReDoS, which means SSDK users have to be
careful when crafting patterns constraints. re2 does not have this problem,
at the expense of not supporting lookahead or backreferences.

Author: adamthom-amzn

smithy-typescript-ssdk-libs/server-common/package.json

@@ -22,7 +22,8 @@
     "@aws-sdk/protocol-http": "3.34.0",
     "@aws-sdk/smithy-client": "3.34.0",
     "@aws-sdk/types": "3.34.0",
-    "tslib": "^1.8.0"
+    "tslib": "^1.8.0",
+    "re2": "^1.16.0"
   },
   "devDependencies": {
     "@types/jest": "^26.0.22",

smithy-typescript-ssdk-libs/server-common/src/validation/validators.spec.ts

@@ -142,6 +142,20 @@ describe("pattern validation", () => {
       path: "aField",
     });
   });
+  it("is not vulnerable to ReDoS", () => {
+    const validator = new PatternValidator("^([0-9]+)+$");
+    expect(
+      validator.validate(
+        "000000000000000000000000000000000000000000000000000000000000000000000000000000000000!",
+        "aField"
+      )
+    ).toEqual({
+      constraintType: "pattern",
+      constraintValues: "^([0-9]+)+$",
+      failureValue: "000000000000000000000000000000000000000000000000000000000000000000000000000000000000!",
+      path: "aField",
+    });
+  });
 });
 
 describe("range validation", () => {

smithy-typescript-ssdk-libs/server-common/src/validation/validators.ts

@@ -13,6 +13,8 @@
  *  permissions and limitations under the License.
  */
 
+import RE2 from "re2";
+
 import {
   EnumValidationFailure,
   LengthValidationFailure,
@@ -257,11 +259,11 @@ export class RangeValidator implements SingleConstraintValidator<number, RangeVa
 
 export class PatternValidator implements SingleConstraintValidator<string, PatternValidationFailure> {
   private readonly inputPattern: string;
-  private readonly pattern: RegExp;
+  private readonly pattern: RE2;
 
   constructor(pattern: string) {
     this.inputPattern = pattern;
-    this.pattern = new RegExp(pattern, "u");
+    this.pattern = new RE2(pattern, "u");
   }
 
   validate(input: string | undefined | null, path: string): PatternValidationFailure | null {