← Resources RESOURCE
Avoiding slow regexes and the catastrophic backtracking (ReDoS) that can paralyze a service.

Most regexes are very fast, but certain patterns can make execution time grow exponentially with the length of the input. This is called catastrophic backtracking, and an attack that halts a server with malicious input is known as ReDoS (regular expression denial of service).

The most common cause is nested quantifiers. When repetition is nested within repetition, like (a+)+ or (.*)*, and the tail fails, the engine tries every possible split and explodes. An ambiguous alternation like (a|a)* causes the same problem.

The key to prevention is eliminating ambiguity. Merge overlapping repetitions into one, narrow the range with something like [^x]* instead of .*, and where possible consider atomic groups or possessive quantifiers (which JavaScript doesn't have). Limiting input length is also effective in practice.

Because this tester runs in the browser, a dangerous pattern only briefly slows down your own tab; but before using the same pattern on a server against untrusted input, always check its performance.