# Inefficient Regular Expression Complexity (CWE-1333)

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

**Stack:** Go

- Prevalence: 中 覆盖 3 种语言
- Impact: 高 1 条严重级别为高的规则
- Prevention: 已记录 3 个修复示例

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Certain regular expression patterns can take exponential time to evaluate on certain inputs (ReDoS). Attackers can craft inputs that cause the regex engine to consume excessive CPU time, leading to denial of service.

## Prevention

基于 1 条 Shoulder 检测规则的 ReDoS 预防策略。

### Go

Avoid nested quantifiers in regex; use specific character classes instead

## Consequences

- 拒绝服务 (DoS)

## Mitigations

- 在正则表达式中避免嵌套量词和相互重叠的择一项
- 为正则表达式使用超时机制
- 考虑使用不回溯(non-backtracking)的正则引擎

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Regular Expression Denial of Service** [MEDIUM]: Regex pattern with nested quantifiers causes catastrophic backtracking.
  - Remediation: Avoid nested quantifiers like (a+)+. Use possessive quantifiers or atomic groups.

```go
// Avoid patterns like: (a+)+, (.*)*
// Use specific patterns instead
re := regexp.MustCompile(`^[a-z]+$`)
```

Learn more: https://shoulder.dev/learn/go/cwe-1333/regex-dos