# Inefficient Regular Expression Complexity (CWE-1333)

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

**Stack:** Go

- Prevalence: 中 3 言語をカバー
- Impact: ハイ 1 件の重大度ハイのルール
- Prevention: 文書化済み 3 件の修正例

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Certain regular expression patterns can take exponential time to evaluate on certain inputs (ReDoS). Attackers can craft inputs that cause the regex engine to consume excessive CPU time, leading to denial of service.

## Prevention

1 件の Shoulder 検出ルールに基づく ReDoS の予防策。

### Go

Avoid nested quantifiers in regex; use specific character classes instead

## Consequences

- DoS

## Mitigations

- 正規表現でネストした量指定子や重なり合う選択肢を避ける
- 正規表現にタイムアウト機構を導入する
- バックトラッキングを行わない正規表現エンジンの利用を検討する

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Regular Expression Denial of Service** [MEDIUM]: Regex pattern with nested quantifiers causes catastrophic backtracking.
  - Remediation: Avoid nested quantifiers like (a+)+. Use possessive quantifiers or atomic groups.

```go
// Avoid patterns like: (a+)+, (.*)*
// Use specific patterns instead
re := regexp.MustCompile(`^[a-z]+$`)
```

Learn more: https://shoulder.dev/learn/go/cwe-1333/regex-dos