You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+20-5Lines changed: 20 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ Something something regexes are bad.
12
12
13
13
## Starriness
14
14
15
-
Not sure what to call this. This reflects the complexity of the regular expression matcher's backtracking procedure with respect to the length of the entered string.
15
+
This reflects the complexity of the regular expression matcher's backtracking procedure with respect to the length of the entered string.
16
16
17
17
With a starriness of 3, we have approximately cubic complexity. This means that if the vulnerable part of the string is doubled in length, the execution time should be 8 times longer (2^3).
18
18
For exponential REDoS with starred stars e.g. `(a*)*$` a fudge factor is used and the starriness will be greater than 10.
N.B. there are differences between javascript and python regex parsing so there may be some errors. I'm [not sure I want](https://hackernoon.com/the-madness-of-parsing-real-world-javascript-regexps-d9ee336df983) to write a JS regex AST!
130
+
N.B. there are differences between javascript and python regex parsing so there may be some errors. I'm [not sure I want](https://hackernoon.com/the-madness-of-parsing-real-world-javascript-regexps-d9ee336df983) to write a JS regex AST! Also, use NodeJS version >=12.
131
131
132
132
## Ruby
133
133
@@ -141,8 +141,23 @@ TODO: not so straight forward to extract the regexes because of the way they are
141
141
142
142
Unless you specifically use a non-deterministic finite automata, Go code is not vulnerable to this type of REDoS. It uses `re2` which does not have catastrophic backtracking.
0 commit comments