Code Smell 185 -  Evil Regular Expressions

Code Smell 185 - Evil Regular Expressions

Regular expressions are a code smell. Sometimes also a vulnerability

Maxi Contieri⭐⭐⭐'s photo
Maxi Contieri⭐⭐⭐
·Dec 8, 2022·

2 min read

Play this article

Table of contents

  • Problems
  • Solutions
  • Context
  • Sample Code
  • Detection
  • Tags
  • Conclusion
  • Relations
  • More Info
  • Disclaimer
  • Credits

TL;DR: Try to minimize Regular Expression's recursive rules.


  • Security Issues

  • Readability

  • Premature Optimization


  1. Cover the cases with tests to see if they halt

  2. Use algorithms instead of regular expressions

  3. Add timeout handlers


This is known as ReDos attack, a subtype of a Denial of Service attack.

ReDoS attacks can be divided into two types:

A string with an evil pattern is passed to an application. Then this string is used as a regex, which leads to ReDoS.

A string with a vector attack format is passed to an application. Then this string is evaluated by a vulnerable regex, which leads to ReDoS.

Sample Code


package main

import (

func main() {
    var re = regexp.MustCompile(`^(([a-z])+.)+[A-Z]([a-z])+$`)
    var str = `aaaaaaaaaaaaaaaaaaaaaaaa!`

    for i, match := range re.FindAllString(str, -1) {
        fmt.Println(match, "found at index", i)

Regex 101


package main

import (

func main() {
    var str = `aaaaaaaaaaaaaaaaaaaaaaaa!`

    words := strings.Fields(str)

    for i, word := range words {
        if len(word) >= 2 && word[0] >= 'a' && word[0] <= 'z' && word[len(word)-1] >= 'A' 
          && word[len(word)-1] <= 'Z' {
            fmt.Println(word, "found at index", i)


[X] Semi-Automatic

Many languages avoid this kind of regular expression.

We can also scan the code for this vulnerability.


  • Security


Regular Expressions are tricky and hard to debug.

We should avoid them as much as possible.


More Info

Catastrophic backtracking: how can a regular expression cause a ReDoS vulnerability?

Runaway Regular Expressions: Catastrophic Backtracking


Code Smells are just my opinion.


Photo by engin akyurt on Unsplash

Some people, when confronted with a problem, think “I know, I’ll use regular expressions.” Now they have two problems.

Jamie Zawinski

This article is part of the CodeSmell Series.

Share this