Regular Expressions are used in almost every single programming language to validate whether user input adheres to an expected condition. Attackers can make use of insecure regex expressions to trigger a Regular expression Denial of Service (ReDoS).
The RegEx engine can take a large amount of time on poorly defined Regex expressions. Consider the RegEx
([0-9]+)+\#. The table below shows how the number of backtracking steps increases exponentially as the location of the unmatched character increases.
|String||Number of Digits||Number of Steps|
To prevent this danger, we can use the
validator npm package. It provides a library of string validators and sanitizers for things like IP addresses, emails, and phone numbers. For Regex expression we must write ourselves, we can use tools like the
safe-regex npm package to detect dangerous regular expressions.
We encourage you to take a look at some examples in the
Try out the regular expression
([0-9]+)+\# on the browser. Notice how the processing time for certain unmatched inputs is longer.
Now replace the regular expression in the browser with
[0-9]+\#, an equivalent regular expression that doesn’t lead to catastrophic backtracking and matches the same strings. Notice how the processing time across the input strings is pretty much the same, meaning this regular expression is less vulnerable to triggering a regex DOS.