Show HN: Redos-analyzer – static ReDoS detection and auto-fix for Python
github.comAt 13:42 UTC on July 2, 2019, an engineer working for Cloudflare made changes to the regular ruleset that was being used by their Web Application Firewall. In under three minutes, there was an 80% drop in the amount of traffic globally. The load on all HTTP serving CPUs in their network hit 100%. It was caused by one regular expression intended to detect XSS attacks, which contained the regular expression pattern `.(?:.=.)`. This pattern included two quantifiers using `.` on the same character class.
That was the result of a production ReDoS.
I was interested to know how frequent such patterns are in Python libraries that we use everyday.
No comments yet.