-
-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No mention of catastrophic backtracking #111
Comments
hi @davisjam, |
@ziishaned I can prepare a PR with a small section about backtracking if you would be interested. Let me know. |
To avoid the backtracking, you need to give the regex engine clear boundary points that it won't backtrack past. For example, this regex is vulnerable: In your example, the problematic piece is Since what you want is a sequence of
Note I added a + to the first group (since it is always required) and I made the |
Thank you so much @davisjam, |
Regular expressions can be vulnerable to Regular Expression Denial of Service (ReDoS). Snyk.io has a good writeup, and the .NET docs have a thorough treatment as well (1, 2).
Catastrophic backtracking affects nearly every major language, including perl, ruby, java, javascript, python, C#, C++-11, and PHP. A guide to regular expressions is incomplete without a warning about ReDoS.
The text was updated successfully, but these errors were encountered: