Inefficient Regular Expression Complexity (CWE-1333)

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Certain regular expression patterns can take exponential time to evaluate on certain inputs (ReDoS). Attackers can craft inputs that cause the regex engine to consume excessive CPU time, leading to denial of service.

普遍性

中

覆盖 3 种语言

影响

高

1 条严重级别为高的规则

预防

已记录

3 个修复示例

2 预防

如何修复此漏洞

基于 3 条 Shoulder 检测规则的 ReDoS 预防策略。

🐹 Go 查看全部 Go 详情 →

Regular Expression Denial of Service MEDIUM

Avoid nested quantifiers in regex; use specific character classes instead

+1 -1 go

- re := regexp.MustCompile("(a+)+b")
+ re := regexp.MustCompile("^[a-z]+b$")

🟨 JavaScript 查看全部 JavaScript 详情 →

Regular Expression Denial of Service (ReDoS) HIGH

Avoid nested quantifiers in regex and validate input length before matching

+6 -2 javascript

- const emailRegex = /^([a-zA-Z0-9]+\.)+[a-zA-Z]{2,}$/;
- if (emailRegex.test(req.body.email)) {
+ const validator = require('validator');
+ 
+ if (req.body.email.length > 254) {
+   return res.status(400).json({ error: 'Input too long' });
+ }
+ if (validator.isEmail(req.body.email)) {
    processEmail(req.body.email);
  }

🐍 Python 查看全部 Python 详情 →

Regular Expression Denial of Service (ReDoS) MEDIUM

Replace nested quantifiers with simple patterns and bounded repetition

+1 -1 python

  import re
  
- email_pattern = re.compile(r'^([a-zA-Z0-9._-]+)+@[a-zA-Z0-9.-]+$')
+ email_pattern = re.compile(r'^[a-zA-Z0-9._-]{1,64}@[a-zA-Z0-9.-]{1,255}$')
  
  def validate_email(email):
      return email_pattern.match(email)

关键实践

Use exponential time complexity when matching certain inputs

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Inefficient Regular Expression Complexity模式。 3 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1333

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

🐹 Go 1 rules

Regular Expression Denial of Service MEDIUM

Regex pattern with nested quantifiers causes catastrophic backtracking.

🟨 Javascript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

Detects potentially catastrophic regular expressions that could lead to ReDoS attacks. ReDoS occurs when regular expressions with certain patterns cause exponential backtracking, leading to excessive CPU consumption. Evil regexes typically contain: 1. Nested quantifiers (e.g., (a+)+, (a*)*) 2. Alternation with overlapping patterns (e.g., (a|ab)*, (a|a)*) 3. Grouping with repetition where the group can match the same input in multiple ways 4. Complex patterns with overlapping possibilities that

🔷 Typescript 1 rules

Regular Expression Denial of Service (ReDoS) HIGH

🐍 Python 1 rules

Regular Expression Denial of Service (ReDoS) MEDIUM

Detects regular expressions with catastrophic backtracking patterns that can cause exponential time complexity when matching certain inputs. Attackers can exploit this to cause denial of service. Use simpler patterns or set timeouts.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Inefficient Regular Expression Complexity漏洞。在代码审查和安全审计中注意查找。

🟠

potentially catastrophic regular expressions that could lead to ReDoS attacks javascript-regex-dos

🟡

regular expressions with catastrophic backtracking patterns that can cause exponential time complexi python-redos

🔍

扫描你的代码库: Inefficient Regular Expression Complexity

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则