Re: ReDOS and RegExp in javascript: be careful when matching end of string

To: debian-js@lists.debian.org
Subject: Re: ReDOS and RegExp in javascript: be careful when matching end of string
From: Yadd <yadd@debian.org>
Date: Thu, 24 Jul 2025 13:07:03 +0200
Message-id: <[🔎] 6b20621d-dc87-416b-ac73-9776ba65c55a@debian.org>
In-reply-to: <[🔎] CAJxTCxyxn=W2Ki9hehAdb575KoNe5FkThPnktZ1a-preQ-142g@mail.gmail.com>
References: <[🔎] CAJxTCxyxn=W2Ki9hehAdb575KoNe5FkThPnktZ1a-preQ-142g@mail.gmail.com>

On 7/24/25 11:47, Jérémy Lal wrote:

Hello,

RegExp needs to be anchored to something.
This seemingly innocuous RegExp is vulnerable to ReDOS:
/a+$/

To fix it, it needs to be anchored to something:
/([^a]|^)a+$/

If one knows that the string is has something else before, it simplifies to:
/[^a]a+$/

console.time("redos");
('a'.repeat(50000) + '\x00a').match(/a+$/);
console.timeEnd("redos")
redos: 2.506s

console.time("no redos");
('a'.repeat(50000) + '\x00a').match(/[^a]a+$/);
console.timeEnd("no redos")
no redos: 0.639ms

See you !
Jérémy


Thank you,

by the way, "(?:)" [non capturing] is always faster than "()", but lastsolution stays the best:


/a+$/          : 1.449s
/([^a]|^)a+$/  : 0.173ms
/(?:[^a]|^)a+$/: 0.155ms
/[^a]a+$/      : 0.117ms

Reply to:

Follow-Ups:
- Re: ReDOS and RegExp in javascript: be careful when matching end of string
  - From: Jonas Smedegaard <jonas@jones.dk>

References:
- ReDOS and RegExp in javascript: be careful when matching end of string
  - From: Jérémy Lal <kapouer@melix.org>

Prev by Date: ReDOS and RegExp in javascript: be careful when matching end of string
Next by Date: Re: ReDOS and RegExp in javascript: be careful when matching end of string
Previous by thread: ReDOS and RegExp in javascript: be careful when matching end of string
Next by thread: Re: ReDOS and RegExp in javascript: be careful when matching end of string
Index(es):
- Date
- Thread