Show HN: Redos-analyzer – static ReDoS detection and auto-fix for Python
Discusses a technical tool for security detection. While the backstory involves a major service outage (negative), the primary focus is the introduction of a new helpful developer tool.
At 13:42 UTC on July 2, 2019, an engineer working for Cloudflare made changes to the regular ruleset that was being used by their Web Application Firewall. In under three minutes, there was an 80% drop in the amount of traffic globally. The load on all HTTP serving CPUs in their network hit 100%. It was caused by one regular expression intended to detect XSS attacks, which contained the regular expression pattern `.<i>(?:.</i>=.<i>)`. This pattern included two quantifiers using `.</i>` on the same character class.<p>That was the result of a production ReDoS.<p>I was interested to know how frequent such patterns are in Python libraries that we use everyday.