question: should SO outage regex be matched by regexploit

[romain-dartigues]

Should we expect regexploit to warn about the kind of Regular Expression Backtracking which caused an outage on StackOverflow (^[\s\u200c]+|[\s\u200c]+$) or is it out of scope of this tool?

[b-c-ds]

So this is a weird one.

The quadratic behaviour doesn't appear if you use re.compile(r"\s+$").match (or equivalent). It appears when used with re.search or re.sub as they scan the input.

I guess I should make clear that Regexploit will have some false negatives as it's mostly looking for ambiguous patterns (and exponential regexes) which seem to be common mistakes. For starters, Regexploit is currently only reporting ReDoS which is cubic or worse to avoid false positives as quadratic regexes are everywhere. In most cases I've seen, exponential ReDoS causes problems after tens of characters, cubic ReDoS after a few thousand characters, but quadratic requires tens of thousands of characters which in many cases is prevented by other application or protocol limits. I should probably add a flag to report quadratic ReDoS, but the heuristic check for now would still miss SO's issue.

[b-c-ds]

Thanks for the question by the way