ReDoS

I give up the fight. If it's Regular Expression the E should be capitalised.
Anyway, ReDoS does look cooler so I guess we'll stick with it (Regexp DoS)

Author: b-c-ds

README.md

@@ -1,11 +1,11 @@
 # Regexploit
 
-Regular Expression Denial of Service (REDoS).
+Regular Expression Denial of Service (ReDoS).
 
 Most default regular expression parsers (non-deterministic finite automata) have unbounded worst-case complexity. Regex matching may be quick when presented with a matching input string. However, certain non-matching input strings can make the regular expression matcher go into crazy loops and take ages to process. This can cause denial of service, as the CPU will be stuck trying to match the regex.
 
 This tool is designed to:
-*  find regular expressions which are vulnerable to REDoS
+*  find regular expressions which are vulnerable to ReDoS
 *  give an example malicious string which will cause catastrophic backtracking
 
 Something something regexes are bad.
@@ -15,7 +15,7 @@ Something something regexes are bad.
 This reflects the complexity of the regular expression matcher's backtracking procedure with respect to the length of the entered string.
 
 Cubic complexity here means that if the vulnerable part of the string is doubled in length, the execution time should be about 8 times longer (2^3).
-For exponential REDoS with starred stars e.g. `(a*)*$` a fudge factor is used and the complexity will be greater than 10.
+For exponential ReDoS with starred stars e.g. `(a*)*$` a fudge factor is used and the complexity will be greater than 10.
 
 For explotability, a cubic complexity or higher is typically required unless truly giant strings are allowed as input.
 
@@ -34,9 +34,9 @@ Final character to cause backtracking: [^[a-z]]
 Example: 'ab' + 'c' * 3456 + '0'
 ```
 
-The part `c*[a-z]+c+` contains three overlapping repeating groups. As showed in the line `Repeated character: [c]`, a long string of `c` will match this section in many different ways. The worst-case complexity is 3 as there are 3 infinitely repeating groups. An example to cause REDoS is given: it consists of the required prefix `ab`, a long string of `c` and then a `0` to cause backtracking. Not all REDoSes require a particular character at the end, but in this case, a long string of `c` will match the regex successfully and won't backtrack. The line `Final character to cause backtracking: [^[a-z]]` shows that a non-matching character not in the range `[a-z]` is required at the end to prevent matching and cause REDoS.
+The part `c*[a-z]+c+` contains three overlapping repeating groups. As showed in the line `Repeated character: [c]`, a long string of `c` will match this section in many different ways. The worst-case complexity is 3 as there are 3 infinitely repeating groups. An example to cause ReDoS is given: it consists of the required prefix `ab`, a long string of `c` and then a `0` to cause backtracking. Not all ReDoSes require a particular character at the end, but in this case, a long string of `c` will match the regex successfully and won't backtrack. The line `Final character to cause backtracking: [^[a-z]]` shows that a non-matching character not in the range `[a-z]` is required at the end to prevent matching and cause ReDoS.
 
-As another example, install a module version vulnerable to REDoS such as `pip install ua-parser==0.9.0`.
+As another example, install a module version vulnerable to ReDoS such as `pip install ua-parser==0.9.0`.
 To scan the installed python modules run `regexploit-python-env`.
 
 ```
@@ -63,7 +63,7 @@ Example: ';0 Build/HuaweiA' + '0' * 3456
 ...
 ```
 
-For each vulnerable regular expression it prints one or more malicious string to trigger REDoS. Setting your user agent to `;0 Build/HuaweiA000000000000000...` and browsing a website using an old version of ua-parser may cause the server to take a long time to process your request, probably ending in status 502.
+For each vulnerable regular expression it prints one or more malicious string to trigger ReDoS. Setting your user agent to `;0 Build/HuaweiA000000000000000...` and browsing a website using an old version of ua-parser may cause the server to take a long time to process your request, probably ending in status 502.
 
 # Installation
 
@@ -94,7 +94,7 @@ or via a file
 cat myregexes.txt | regexploit
 ```
 
-Nothing is printed when no REDoS is found.
+Nothing is printed when no ReDoS is found.
 
 ## Python imports
 
@@ -109,7 +109,7 @@ N.B. this doesn't parse the python code to an AST and will only find regexes com
 
 ## Python code
 
-Parses Python code (without executing it) via the AST to find regexes (with some false positives). The regexes are then analysed for REDoS.
+Parses Python code (without executing it) via the AST to find regexes (with some false positives). The regexes are then analysed for ReDoS.
 
 ```bash
 regexploit-py my-project/stuff.py
@@ -120,7 +120,7 @@ regexploit-py "my-project/**/*.py" --glob
 
 This will use the bundled NodeJS package in `regexploit/bin/javascript` which parses your javascript as an AST with [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/master/packages/parser) and prints out all regexes.
 
-Those regexes are fed into the python REDoS finder.
+Those regexes are fed into the python ReDoS finder.
 
 ```bash
 regexploit-js my-module/my-file.js another/file.js
@@ -139,7 +139,7 @@ TODO: not so straight forward to extract the regexes because of the way they are
 
 ## Golang / anything using re2
 
-Unless you specifically use a non-deterministic finite automata, Go code is not vulnerable to this type of REDoS. It uses `re2` which does not have catastrophic backtracking.
+Unless you specifically use a non-deterministic finite automata, Go code is not vulnerable to this type of ReDoS. It uses `re2` which does not have catastrophic backtracking.
 
 ## JSON / YAML
 

regexploit/bin/regexploit.py

@@ -48,7 +48,7 @@ def javascript(pattern: str, flags: int):
 
 def main():
     parser = argparse.ArgumentParser(
-        description="Parse regexes from stdin and scan them for REDoS"
+        description="Parse regexes from stdin and scan them for ReDoS"
     )
     parser.add_argument(
         "-f",
@@ -88,7 +88,7 @@ def main():
             ):
                 found = True
             if isatty and not found:
-                print("No REDoS found.")
+                print("No ReDoS found.")
     except KeyboardInterrupt:
         pass
 

regexploit/bin/regexploit_csharp.py

@@ -21,7 +21,7 @@ def handle_file(filename: str, output: TextOutput):
         if len(pattern) < 5:
             continue  # (.+)+
         if pattern.count("*") + pattern.count("+") + pattern.count(",}") < 2:
-            continue  # no REDoS possible
+            continue  # no ReDoS possible
         try:
             logging.debug("%s#%s: %s", filename, regex.lineno, pattern)
             parsed = SreOpParser().parse_sre(pattern, regex.flags)
@@ -58,7 +58,7 @@ def handle_file(filename: str, output: TextOutput):
                         context=context,
                     )
         except Exception:
-            print(f"Error finding REDoS: {pattern} from {filename} #{regex.lineno}")
+            print(f"Error finding ReDoS: {pattern} from {filename} #{regex.lineno}")
             print(traceback.format_exc())
 
 
@@ -68,7 +68,7 @@ def main():
             "ignore", category=FutureWarning
         )  # Some csharp/js regexes are weird
         parser = argparse.ArgumentParser(
-            description="Parse regexes out of C# files and scan them for REDoS"
+            description="Parse regexes out of C# files and scan them for ReDoS"
         )
         parser.add_argument("files", nargs="+", help="C# files")
         parser.add_argument(

regexploit/bin/regexploit_js.py

@@ -25,7 +25,7 @@ def handle_line_from_node(line: str, output: TextOutput):
         if pattern_len == 8059 and pattern.startswith("\\u{1F3F4}(?:\\u{E0067"):
             return  # annoying emoji regex
         if pattern.count("*") + pattern.count("+") + pattern.count(",}") < 2:
-            return  # no REDoS possible
+            return  # no ReDoS possible
         filename = regex["filename"]
         lineno = regex["lineno"]
         try:
@@ -50,7 +50,7 @@ def handle_line_from_node(line: str, output: TextOutput):
                 if redos.starriness > 2:
                     output.record(redos, pattern, filename=filename, lineno=lineno)
         except Exception:
-            print(f"Error finding REDoS: {pattern} from {filename}")
+            print(f"Error finding ReDoS: {pattern} from {filename}")
             print(traceback.format_exc())
     elif error := regex.get("error"):
         print("ERR", error, regex.get("filename"))
@@ -84,7 +84,7 @@ def main():
             "ignore", category=FutureWarning
         )  # Some js regexes are weird
         parser = argparse.ArgumentParser(
-            description="Parse regexes out of javascript files and scan them for REDoS"
+            description="Parse regexes out of javascript files and scan them for ReDoS"
         )
         parser.add_argument("files", nargs="+", help="Javascript or typescript files")
         parser.add_argument(

regexploit/bin/regexploit_python_ast.py

@@ -49,7 +49,7 @@ def handle_file(filename: str, output: TextOutput):
                     )
         except Exception:
             print(
-                f"Error finding REDoS: {regex.pattern} from {filename} #{regex.lineno}"
+                f"Error finding ReDoS: {regex.pattern} from {filename} #{regex.lineno}"
             )
             print(traceback.format_exc())
 
@@ -60,7 +60,7 @@ def main():
         warnings.simplefilter("ignore", category=FutureWarning)
         warnings.simplefilter("ignore", category=DeprecationWarning)
         parser = argparse.ArgumentParser(
-            description="Parse regexes out of python files and scan them for REDoS"
+            description="Parse regexes out of python files and scan them for ReDoS"
         )
         parser.add_argument("files", nargs="+", help="Python files or directories")
         parser.add_argument(

regexploit/bin/regexploit_yaml.py

@@ -47,7 +47,7 @@ def handle(self, elem):
                             filename=self.filename,
                         )
             except Exception:
-                print(f"Error finding REDoS: {elem} from {self.filename}")
+                print(f"Error finding ReDoS: {elem} from {self.filename}")
                 print(traceback.format_exc())
         elif isinstance(elem, list):
             for _elem in elem:
@@ -63,7 +63,7 @@ def main(get_object=get_json):
         warnings.simplefilter("ignore", category=FutureWarning)
         warnings.simplefilter("ignore", category=DeprecationWarning)
         parser = argparse.ArgumentParser(
-            description="Parse regexes out of YAML files (strings, lists and dictionary values) and scan them for REDoS"
+            description="Parse regexes out of YAML files (strings, lists and dictionary values) and scan them for ReDoS"
         )
         parser.add_argument("files", nargs="+", help="YAML files")
         parser.add_argument(

regexploit/languages/python_node_visitor.py

@@ -27,9 +27,9 @@ def __init__(self):
         self.patterns: List[FoundRegex] = []
 
     def maybe_pattern(self, lineno: int, pattern: str):
-        """Check if the pattern could possibly have REDoS: if so, add it."""
+        """Check if the pattern could possibly have ReDoS: if so, add it."""
         if pattern.count("*") + pattern.count("+") + pattern.count(",}") >= 2:
-            # Could have REDoS
+            # Could have ReDoS
             # Now check if it still looks like a docstring
             if " * * *" in pattern:
                 return  # Looks like cron (of course could just be really silly regex)

regexploit/redos.py

@@ -122,7 +122,7 @@ def make_redos(
     # TODO branches
     character_history = [repeated_character]
     logging.debug(
-        "Make REDoS %d %d %s %d",
+        "Make ReDoS %d %d %s %d",
         sequence_start,
         continue_from,
         repeated_character,
@@ -174,7 +174,7 @@ def make_redos(
         repeated_character = new_c
         character_history.append(new_c)
 
-    # Everything matched! We need to work backwards and find a 'killer' to cause backtracking if we want REDoS
+    # Everything matched! We need to work backwards and find a 'killer' to cause backtracking if we want ReDoS
     logging.debug("Backtracking: %s", character_history)
     for current_index in reversed(range(continue_from, len(seq))):
         elem = seq.elements[current_index]
@@ -215,7 +215,7 @@ def redos_found(
     killer: Optional[Character],
 ) -> Redos:
     # TODO: Try to include some skipped optional parts (like `?`) just to make it nicer
-    logging.debug("REDoS found")
+    logging.debug("ReDoS found")
     return Redos(
         starriness,
         Sequence(seq.elements[:start]),

setup.py

@@ -8,7 +8,7 @@
     version="0.0.1",
     author="Ben Caller :: Doyensec",
     author_email="[email protected]",
-    description="Find regular expressions vulnerable to REDoS",
+    description="Find regular expressions vulnerable to ReDoS",
     long_description=long_description,
     long_description_content_type="text/markdown",
     url="https://github.com/doyensec/regexploit",

tests/test_redos.py

@@ -96,7 +96,7 @@ def test_dollar():
 
 
 def test_real_cpython_cookielib():
-    # We don't support the (?!) assertions, but can still find REDoS
+    # We don't support the (?!) assertions, but can still find ReDoS
     LOOSE_HTTP_DATE_RE = r"""^
         (\d\d?)            # day
            (?:\s+|[-\/])