Suggestion: Detect regexes vulnerable to catastrophic backtracking

python-security / pyt

A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

GNU General Public License v2.0

2.18k stars 240 forks source link

Suggestion: Detect regexes vulnerable to catastrophic backtracking #105

Open davisjam opened 6 years ago

davisjam commented 6 years ago

It doesn't look like your scanner checks for regexes vulnerable to catastrophic backtracking (-> REDOS).

To do that you could use some tools I built here. The underlying detectors incur dependencies (2 rely on Java, one relies on OCaml).

If dependencies are a problem, I am hosting a server that answers queries, see docs and code here. This requires shipping regexes to my server though.

KevinHock commented 6 years ago

This is interesting 👍 Thanks for the idea