Inefficient Regular Expression Complexity (CWE-1333)

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Certain regular expression patterns can take exponential time to evaluate on certain inputs (ReDoS). Attackers can craft inputs that cause the regex engine to consume excessive CPU time, leading to denial of service.

보급률

보통

3개 언어 지원

영향

높음

1개의 높은 심각도 규칙

예방

문서화됨

3개의 수정 예시

2 예방

이 취약점을 수정하는 방법

3개의 Shoulder 탐지 규칙을 기반으로 한 ReDoS 예방 전략.

🐹 Go 모두 보기 Go 자세히 →

Regular Expression Denial of Service MEDIUM

Avoid nested quantifiers in regex; use specific character classes instead

+1 -1 go

- re := regexp.MustCompile("(a+)+b")
+ re := regexp.MustCompile("^[a-z]+b$")

🟨 JavaScript 모두 보기 JavaScript 자세히 →

Regular Expression Denial of Service (ReDoS) HIGH

Avoid nested quantifiers in regex and validate input length before matching

+6 -2 javascript

- const emailRegex = /^([a-zA-Z0-9]+\.)+[a-zA-Z]{2,}$/;
- if (emailRegex.test(req.body.email)) {
+ const validator = require('validator');
+ 
+ if (req.body.email.length > 254) {
+   return res.status(400).json({ error: 'Input too long' });
+ }
+ if (validator.isEmail(req.body.email)) {
    processEmail(req.body.email);
  }

🐍 Python 모두 보기 Python 자세히 →

Regular Expression Denial of Service (ReDoS) MEDIUM

Replace nested quantifiers with simple patterns and bounded repetition

+1 -1 python

  import re
  
- email_pattern = re.compile(r'^([a-zA-Z0-9._-]+)+@[a-zA-Z0-9.-]+$')
+ email_pattern = re.compile(r'^[a-zA-Z0-9._-]{1,64}@[a-zA-Z0-9.-]{1,255}$')
  
  def validate_email(email):
      return email_pattern.match(email)

핵심 실천 사항

Use exponential time complexity when matching certain inputs

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Inefficient Regular Expression Complexity 패턴을 스캔하세요. 3 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1333

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (3)

🐹 Go 1 rules

Regular Expression Denial of Service MEDIUM

Regex pattern with nested quantifiers causes catastrophic backtracking.

🟨 Javascript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

Detects potentially catastrophic regular expressions that could lead to ReDoS attacks. ReDoS occurs when regular expressions with certain patterns cause exponential backtracking, leading to excessive CPU consumption. Evil regexes typically contain: 1. Nested quantifiers (e.g., (a+)+, (a*)*) 2. Alternation with overlapping patterns (e.g., (a|ab)*, (a|a)*) 3. Grouping with repetition where the group can match the same input in multiple ways 4. Complex patterns with overlapping possibilities that

🔷 Typescript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

🐍 Python 1 rules

Regular Expression Denial of Service (ReDoS) MEDIUM

Detects regular expressions with catastrophic backtracking patterns that can cause exponential time complexity when matching certain inputs. Attackers can exploit this to cause denial of service. Use simpler patterns or set timeouts.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Inefficient Regular Expression Complexity 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠

potentially catastrophic regular expressions that could lead to ReDoS attacks javascript-regex-dos

🟡

regular expressions with catastrophic backtracking patterns that can cause exponential time complexi python-redos

🔍

코드베이스를 스캔하세요: Inefficient Regular Expression Complexity

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기