Inefficient Regular Expression Complexity (CWE-1333)

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Certain regular expression patterns can take exponential time to evaluate on certain inputs (ReDoS). Attackers can craft inputs that cause the regex engine to consume excessive CPU time, leading to denial of service.

Rozpowszechnienie

Średnia

Pokryto 3 języków

Wplyw

Wysoki

1 reguł o wysokim poziomie

Zapobieganie

Udokumentowane

3 przykładów poprawek

2 Zapobieganie

Jak naprawić tę podatność

Strategie zapobiegania dla ReDoS oparte na 3 regułach detekcji Shoulder.

🐹 Go Zobacz wszystko Go szczegóły →

Regular Expression Denial of Service MEDIUM

Avoid nested quantifiers in regex; use specific character classes instead

+1 -1 go

- re := regexp.MustCompile("(a+)+b")
+ re := regexp.MustCompile("^[a-z]+b$")

🟨 JavaScript Zobacz wszystko JavaScript szczegóły →

Regular Expression Denial of Service (ReDoS) HIGH

Avoid nested quantifiers in regex and validate input length before matching

+6 -2 javascript

- const emailRegex = /^([a-zA-Z0-9]+\.)+[a-zA-Z]{2,}$/;
- if (emailRegex.test(req.body.email)) {
+ const validator = require('validator');
+ 
+ if (req.body.email.length > 254) {
+   return res.status(400).json({ error: 'Input too long' });
+ }
+ if (validator.isEmail(req.body.email)) {
    processEmail(req.body.email);
  }

🐍 Python Zobacz wszystko Python szczegóły →

Regular Expression Denial of Service (ReDoS) MEDIUM

Replace nested quantifiers with simple patterns and bounded repetition

+1 -1 python

  import re
  
- email_pattern = re.compile(r'^([a-zA-Z0-9._-]+)+@[a-zA-Z0-9.-]+$')
+ email_pattern = re.compile(r'^[a-zA-Z0-9._-]{1,64}@[a-zA-Z0-9.-]{1,255}$')
  
  def validate_email(email):
      return email_pattern.match(email)

Kluczowe praktyki

Use exponential time complexity when matching certain inputs

3 Wykrywanie

Znajdz podatnosci w swoim kodzie

Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Inefficient Regular Expression Complexity. 3 reguly.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1333

# Or scan entire project
npx @shoulderdev/cli trust .

Reguly Wykrywania (3)

🐹 Go 1 rules

Regular Expression Denial of Service MEDIUM

Regex pattern with nested quantifiers causes catastrophic backtracking.

🟨 Javascript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

Detects potentially catastrophic regular expressions that could lead to ReDoS attacks. ReDoS occurs when regular expressions with certain patterns cause exponential backtracking, leading to excessive CPU consumption. Evil regexes typically contain: 1. Nested quantifiers (e.g., (a+)+, (a*)*) 2. Alternation with overlapping patterns (e.g., (a|ab)*, (a|a)*) 3. Grouping with repetition where the group can match the same input in multiple ways 4. Complex patterns with overlapping possibilities that

🔷 Typescript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

🐍 Python 1 rules

Regular Expression Denial of Service (ReDoS) MEDIUM

Detects regular expressions with catastrophic backtracking patterns that can cause exponential time complexity when matching certain inputs. Attackers can exploit this to cause denial of service. Use simpler patterns or set timeouts.

4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci Inefficient Regular Expression Complexity. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟠

potentially catastrophic regular expressions that could lead to ReDoS attacks javascript-regex-dos

🟡

regular expressions with catastrophic backtracking patterns that can cause exponential time complexi python-redos

🔍

Przeskanuj swój kod w poszukiwaniu Inefficient Regular Expression Complexity

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły