Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Certain regular expression patterns can take exponential time to evaluate on certain inputs (ReDoS). Attackers can craft inputs that cause the regex engine to consume excessive CPU time, leading to denial of service.
How to fix this vulnerability
Prevention strategies for ReDoS based on 3 Shoulder detection rules.
Avoid nested quantifiers in regex; use specific character classes instead
- re := regexp.MustCompile("(a+)+b") + re := regexp.MustCompile("^[a-z]+b$")
Avoid nested quantifiers in regex and validate input length before matching
- const emailRegex = /^([a-zA-Z0-9]+\.)+[a-zA-Z]{2,}$/; - if (emailRegex.test(req.body.email)) { + const validator = require('validator'); + + if (req.body.email.length > 254) { + return res.status(400).json({ error: 'Input too long' }); + } + if (validator.isEmail(req.body.email)) { processEmail(req.body.email); }
Replace nested quantifiers with simple patterns and bounded repetition
import re - email_pattern = re.compile(r'^([a-zA-Z0-9._-]+)+@[a-zA-Z0-9.-]+$') + email_pattern = re.compile(r'^[a-zA-Z0-9._-]{1,64}@[a-zA-Z0-9.-]{1,255}$') def validate_email(email): return email_pattern.match(email)
Key Practices
- Use exponential time complexity when matching certain inputs
Find vulnerabilities in your code
Use Shoulder to scan your codebase for Inefficient Regular Expression Complexity patterns. 3 rules.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=1333 # Or scan entire project npx @shoulderdev/cli trust .
Detection Rules (3)
What to watch for in code reviews
These patterns indicate potential Inefficient Regular Expression Complexity vulnerabilities. Look for these during code reviews and security audits.
Scan your codebase for Inefficient Regular Expression Complexity
Shoulder CLI finds vulnerable patterns across your entire codebase.