Inefficient Regular Expression Complexity (CWE-1333)

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Certain regular expression patterns can take exponential time to evaluate on certain inputs (ReDoS). Attackers can craft inputs that cause the regex engine to consume excessive CPU time, leading to denial of service.

普及度

中

3 言語をカバー

影響度

ハイ

1 件の重大度ハイのルール

予防

文書化済み

3 件の修正例

2 予防

この脆弱性の修正方法

3 件の Shoulder 検出ルールに基づく ReDoS の予防策。

🐹 Go すべて表示 Go 詳細 →

Regular Expression Denial of Service MEDIUM

Avoid nested quantifiers in regex; use specific character classes instead

+1 -1 go

- re := regexp.MustCompile("(a+)+b")
+ re := regexp.MustCompile("^[a-z]+b$")

🟨 JavaScript すべて表示 JavaScript 詳細 →

Regular Expression Denial of Service (ReDoS) HIGH

Avoid nested quantifiers in regex and validate input length before matching

+6 -2 javascript

- const emailRegex = /^([a-zA-Z0-9]+\.)+[a-zA-Z]{2,}$/;
- if (emailRegex.test(req.body.email)) {
+ const validator = require('validator');
+ 
+ if (req.body.email.length > 254) {
+   return res.status(400).json({ error: 'Input too long' });
+ }
+ if (validator.isEmail(req.body.email)) {
    processEmail(req.body.email);
  }

🐍 Python すべて表示 Python 詳細 →

Regular Expression Denial of Service (ReDoS) MEDIUM

Replace nested quantifiers with simple patterns and bounded repetition

+1 -1 python

  import re
  
- email_pattern = re.compile(r'^([a-zA-Z0-9._-]+)+@[a-zA-Z0-9.-]+$')
+ email_pattern = re.compile(r'^[a-zA-Z0-9._-]{1,64}@[a-zA-Z0-9.-]{1,255}$')
  
  def validate_email(email):
      return email_pattern.match(email)

主要なプラクティス

Use exponential time complexity when matching certain inputs

3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのInefficient Regular Expression Complexityパターンをスキャンしましょう。 3 ルール.

ターミナル

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1333

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (3)

🐹 Go 1 rules

Regular Expression Denial of Service MEDIUM

Regex pattern with nested quantifiers causes catastrophic backtracking.

🟨 Javascript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

Detects potentially catastrophic regular expressions that could lead to ReDoS attacks. ReDoS occurs when regular expressions with certain patterns cause exponential backtracking, leading to excessive CPU consumption. Evil regexes typically contain: 1. Nested quantifiers (e.g., (a+)+, (a*)*) 2. Alternation with overlapping patterns (e.g., (a|ab)*, (a|a)*) 3. Grouping with repetition where the group can match the same input in multiple ways 4. Complex patterns with overlapping possibilities that

🔷 Typescript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

🐍 Python 1 rules

Regular Expression Denial of Service (ReDoS) MEDIUM

Detects regular expressions with catastrophic backtracking patterns that can cause exponential time complexity when matching certain inputs. Attackers can exploit this to cause denial of service. Use simpler patterns or set timeouts.

4 警告サイン

コードレビューで注目すべき点

これらのパターンはInefficient Regular Expression Complexityの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠

potentially catastrophic regular expressions that could lead to ReDoS attacks javascript-regex-dos

🟡

regular expressions with catastrophic backtracking patterns that can cause exponential time complexi python-redos

🔍

コードベースをスキャン: Inefficient Regular Expression Complexity

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示