# Inefficient Regular Expression Complexity (CWE-1333)

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

**Stack:** Go

- Prevalence: 보통 3개 언어 지원
- Impact: 높음 1개의 높은 심각도 규칙
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Certain regular expression patterns can take exponential time to evaluate on certain inputs (ReDoS). Attackers can craft inputs that cause the regex engine to consume excessive CPU time, leading to denial of service.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 ReDoS 예방 전략.

### Go

Avoid nested quantifiers in regex; use specific character classes instead

## Consequences

- DoS

## Mitigations

- 정규식에서 중첩 수량자와 겹치는 분기(alternation)를 피하세요
- 정규식에 타임아웃 메커니즘을 사용하세요
- 백트래킹을 하지 않는 정규식 엔진 사용을 검토하세요

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Regular Expression Denial of Service** [MEDIUM]: Regex pattern with nested quantifiers causes catastrophic backtracking.
  - Remediation: Avoid nested quantifiers like (a+)+. Use possessive quantifiers or atomic groups.

```go
// Avoid patterns like: (a+)+, (.*)*
// Use specific patterns instead
re := regexp.MustCompile(`^[a-z]+$`)
```

Learn more: https://shoulder.dev/learn/go/cwe-1333/regex-dos