re — denial of service

Inefficient Regular Expression Complexity in re Module

Patterns in Python's re module that are susceptible to catastrophic backtracking. Such patterns can lead to performance issues and may cause a Denial-of-Service (DoS) condition in applications by consuming an excessive amount of CPU time on certain inputs Vulnerability Explanation

Catastrophic backtracking occurs in regex evaluation when the engine tries to match complex patterns that contain nested quantifiers or ambiguous constructs. In certain cases, especially with maliciously crafted input, this can lead to an exponential number of combinations being checked, severely impacting application performance and potentially causing it to hang or crash.

Examples

import re


IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"
reg = re.compile(IPv6address)
reg.search("http://[:::::::::::::::::::::::::::::::::::::::]/path")

Example Output

> precli tests/unit/rules/python/stdlib/re/examples/re_compile.py
⛔️ Error on line 5 in tests/unit/rules/python/stdlib/re/examples/re_compile.py
PY033: Inefficient Regular Expression Complexity
The call to 're.compile'' with regex pattern 'r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"'' is susceptible to catastrophic backtracking and may cause performance degradation.

Remediation

When using Python's re module to compile or match regular expressions, ensure that patterns are designed to avoid ambiguous repetition and nested quantifiers that can cause catastrophic backtracking. Regular expressions should be reviewed and tested for efficiency and resistance to DoS attacks.

import re


IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}"
reg = re.compile(IPv6address)
reg.search("http://[:::::::::::::::::::::::::::::::::::::::]/path")

Default Configuration

enabled = true
level = "error"

See also

Info

• re — Regular expression operations
• Regular expression Denial of Service - ReDoS OWASP Foundation
• CWE-1333: Inefficient Regular Expression Complexity

New in version 0.3.14