regexploit icon indicating copy to clipboard operation
regexploit copied to clipboard

Published 20 hours ago verified publisher icon doyensec

Why not detect (a+)+

Open nibiwodong opened this issue 3 years ago • 3 comments

Why not detect (a+)+

Welcome to Regexploit. Enter your regexes:
(a+)+
No ReDoS found.

nibiwodong avatar Apr 30 '21 11:04 nibiwodong

Same doubt.

SugarP1g avatar Jul 05 '22 08:07 SugarP1g

As intended.

There is no payload which will cause backtracking with this regex unless you are using it with a function like python's re.fullmatch. A slight trade-off to avoid false positives.

/(a+)+/.test('ay')  // js matches, no ReDoS possible

re.compile(r"(a+)+").match("ay") # python matches, no ReDoS possible

It does find ReDoS when it is possible to cause backtracking:

Welcome to Regexploit. Enter your regexes:
(a+)+$
Pattern: (a+)+$
---
Redos(starriness=11, prefix_sequence=SEQ{  }, redos_sequence=SEQ{ [a]{1+}{1+} $[a] }, repeated_character=[a], killer=[^a])
Worst-case complexity: 11 ⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐ (exponential)
Repeated character: [a]
Final character to cause backtracking: [^a]
Example: 'a' * 3456 + '0'

(a+)+x
Pattern: (a+)+x
---
Redos(starriness=11, prefix_sequence=SEQ{  }, redos_sequence=SEQ{ [a]{1+}{1+} [x] }, repeated_character=[a], killer=None)
Worst-case complexity: 11 ⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐ (exponential)
Repeated character: [a]
Example: 'a' * 3456

(a+)+\w
Pattern: (a+)+\w
---
Redos(starriness=11, prefix_sequence=SEQ{  }, redos_sequence=SEQ{ [a]{1+}{1+} [WORD] }, repeated_character=[a], killer=[^WORD])
Worst-case complexity: 11 ⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐ (exponential)
Repeated character: [a]
Final character to cause backtracking: [^WORD]
Example: 'a' * 3456 + '!'

b-c-ds avatar Jul 05 '22 15:07 b-c-ds

A follow up to this question: how come it doesn't seem to find ReDoS for patterns like (a|aa)+ or (a|a?)+ both examples from OWASP https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

shiraSC avatar Nov 13 '23 19:11 shiraSC