2021-11-01
2092
Godson Obielum
75053
Nov 1, 2021 ⋅ 7 min read

How to protect against regex denial-of-service (ReDoS) attacks

Godson Obielum I'm a software developer with a life goal of using technology as a tool for solving problems across major industries.

Recent posts:

Glowing 3D cube with the MediaPipe and React logos overlaid, symbolizing integration of AI and web development

How to build better AI apps in React with MediaPipe’s latest APIs

Learn how to integrate MediaPipe’s Tasks API into a React app for fast, in-browser object detection using your webcam.

Emmanuel John
Jul 17, 2025 ⋅ 10 min read
Vercel AI SDK logo on a 3D black grid background

How to build unified AI interfaces using the Vercel AI SDK

Integrating AI into modern frontend apps can be messy. This tutorial shows how the Vercel AI SDK simplifies it all, with streaming, multimodal input, and generative UI.

Ikeh Akinyemi
Jul 16, 2025 ⋅ 13 min read
how to prepare for a software engineering interview

How to prep for a software dev interview: Advice from a dev leader

Interviewing for a software engineering role? Hear from a senior dev leader on what he looks for in candidates, and how to prepare yourself.

Andrew Evans
Jul 16, 2025 ⋅ 12 min read
Next.js Real-Time Video Streaming: HLS.js And Alternatives

Next.js real-time video streaming: HLS.js and alternatives

Set up real-time video streaming in Next.js using HLS.js and alternatives, exploring integration, adaptive streaming, and token-based authentication.

Jude Miracle
Jul 15, 2025 ⋅ 19 min read
View all posts

One Reply to "How to protect against regex denial-of-service (ReDoS) attacks"

  1. Interesting article.

    Your explanation is wrong though. \w+\s* does not return “A long sentence with invalid characters that takes so much time to be matched that it potentially causes our CPU usage to increase”. it matches “A “, because \w is only a single char, so \w+ matches as many word char are available (in this case just the letter A), then \s* matches as many spaces as possible (just one in this case), the result is “A “. then (\w+\s*)* matches the whole string. It matches as many “at least one word char followed by 0 or more space”. The rest of your explanation is therefore erroneous.

    Too bad also your solution is not a real solution. It rejects rapidly the sequence with invalid chars, but it also reject any sequence with valid char ! In fact, this formula will never match anything but the empty string. This is due to the fact that you reference the 1st group from within the first group (the \1 is within the first pair of ()). If you define the first group as “The first group is the first group plus the repetition of itself”, the only solution is the empty group.

    A solution that works to you problem is “an optional blank separated list of words plus one word” and it’s spelled like this :
    /^(\w+\s+)*\w+$/
    which can be decoded as :
    ^: start
    (…)* repeat 0 or more time
    \w+: at least one word char
    \s+: at least one space char :
    \w+: followed by at least one word char
    $: then end

    It instantly matches “correct”
    it instantly matches “this is a list of word”
    it instantly does not match “this is an invalid list!”
    it instantly does not match “A long sentence with invalid characters that takes soo much time to be matched that it potentially causes our CPU usage to increase drastically!!!”

Leave a Reply