Yep. I remember years ago seeing the website for some guy who proudly listed all the CVEs he'd discovered. Clearly he'd written some scanning tool to look at regexes in open source projects and was creating CVEs for anything that might result in exponential time execution or whatever.

▲

gorgoiler an hour ago | parent | next [-]

It sounds like an interesting case study. Do these things get reported with a patch?:

(a) add a new function that does regular expressions searching / matching with a resource checker (eg a timer);

(b) write a local linter that reports an error for any use of the builtin regular expression tools;

(d) commit the linter.

	▲	edelbitter an hour ago \| parent \| next [-]
		This stuff has been brewing for years, but since technically you could fix all instances with minimal StackOverflow downtime [1] and a slightly different pattern, few people worked on either using engines with data structures less prone to the worst case or adding the generic workarounds for those that have them. e.g. in cPython, until 3.11, there was no support for atomic grouping (roughly translation: "never backtrack inside of this expression"). There is little useful advice a linter can give, if there is no predictable-runtime way to express what you want within a single match step, because you really do want to unwind the stack and check for repeats (just without any of the exponential runtime stuff, please). [1]: https://meta.stackoverflow.com/questions/328376/why-does-sta...
	▲	jamesfinlayson an hour ago \| parent \| prev [-]
		No I think he was just looking to raise his profile, not to help.

▲

tryauuum an hour ago | parent | prev [-]

That's a real issue, took cloudflare down once...