Inefficient Regular Expression Complexity (CWE-1333)

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Certain regular expression patterns can take exponential time to evaluate on certain inputs (ReDoS). Attackers can craft inputs that cause the regex engine to consume excessive CPU time, leading to denial of service.

Verbreitung

Mittel

3 Sprachen abgedeckt

Auswirkung

Hoch

1 Regeln mit hohem Schweregrad

Prävention

Dokumentiert

3 Fix-Beispiele

2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für ReDoS basierend auf 3 Shoulder-Erkennungsregeln.

🐹 Go Alle anzeigen Go Details →

Regular Expression Denial of Service MEDIUM

Avoid nested quantifiers in regex; use specific character classes instead

+1 -1 go

- re := regexp.MustCompile("(a+)+b")
+ re := regexp.MustCompile("^[a-z]+b$")

🟨 JavaScript Alle anzeigen JavaScript Details →

Regular Expression Denial of Service (ReDoS) HIGH

Avoid nested quantifiers in regex and validate input length before matching

+6 -2 javascript

- const emailRegex = /^([a-zA-Z0-9]+\.)+[a-zA-Z]{2,}$/;
- if (emailRegex.test(req.body.email)) {
+ const validator = require('validator');
+ 
+ if (req.body.email.length > 254) {
+   return res.status(400).json({ error: 'Input too long' });
+ }
+ if (validator.isEmail(req.body.email)) {
    processEmail(req.body.email);
  }

🐍 Python Alle anzeigen Python Details →

Regular Expression Denial of Service (ReDoS) MEDIUM

Replace nested quantifiers with simple patterns and bounded repetition

+1 -1 python

  import re
  
- email_pattern = re.compile(r'^([a-zA-Z0-9._-]+)+@[a-zA-Z0-9.-]+$')
+ email_pattern = re.compile(r'^[a-zA-Z0-9._-]{1,64}@[a-zA-Z0-9.-]{1,255}$')
  
  def validate_email(email):
      return email_pattern.match(email)

Wichtige Praktiken

Use exponential time complexity when matching certain inputs

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Inefficient Regular Expression Complexity-Mustern zu scannen. 3 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1333

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (3)

🐹 Go 1 rules

Regular Expression Denial of Service MEDIUM

Regex pattern with nested quantifiers causes catastrophic backtracking.

🟨 Javascript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

Detects potentially catastrophic regular expressions that could lead to ReDoS attacks. ReDoS occurs when regular expressions with certain patterns cause exponential backtracking, leading to excessive CPU consumption. Evil regexes typically contain: 1. Nested quantifiers (e.g., (a+)+, (a*)*) 2. Alternation with overlapping patterns (e.g., (a|ab)*, (a|a)*) 3. Grouping with repetition where the group can match the same input in multiple ways 4. Complex patterns with overlapping possibilities that

🔷 Typescript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

🐍 Python 1 rules

Regular Expression Denial of Service (ReDoS) MEDIUM

Detects regular expressions with catastrophic backtracking patterns that can cause exponential time complexity when matching certain inputs. Attackers can exploit this to cause denial of service. Use simpler patterns or set timeouts.

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Inefficient Regular Expression Complexity-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟠

potentially catastrophic regular expressions that could lead to ReDoS attacks javascript-regex-dos

🟡

regular expressions with catastrophic backtracking patterns that can cause exponential time complexi python-redos

🔍

Scanne deine Codebasis nach Inefficient Regular Expression Complexity

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen