Skill

redos

Checks regex patterns for ReDoS (CWE-1333) vulnerabilities when applied to user input. Flags catastrophic backtracking risks and suggests fixes like atomic groups, timeouts, RE2 for Python, Go, Java.

Python

Java

security

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Protects against Regular Expression Denial of Service where a crafted input causes

SKILL.md

Similar Skills

redos

Detects ReDoS vulnerabilities via catastrophic backtracking in regex patterns on user-controlled input. Audits JS/TS/Python/Ruby/PHP/Java code and measures growth rates.

3 files

find-cve-agent

Regex Whisperer

Writes, debugs, and explains regex patterns emphasizing readability, performance optimization, edge cases, testing strategies, and regex alternatives. Activates on mentions of regex, regular expressions, pattern matching, text parsing, extraction, or format validation.

3 files

omer-metin-skills-for-antigravity-2

regex-builder

221

DEPRECATED: Generates, explains, and tests regex patterns from positive/negative examples with Python/JavaScript code. Retained for reference only.

5 files

armory

Stats

Stars13

Forks0

Last CommitApr 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

ReDoS Security Check (CWE-1333)

What this checks

Protects against Regular Expression Denial of Service where a crafted input causes catastrophic backtracking in regex engines. A single malicious string can pin a CPU core for minutes or hours, taking down the service.

Vulnerable patterns

re.match(r"(a+)+$", user_input) — nested quantifiers cause exponential backtracking
Pattern.compile("(.*a){20}") — overlapping alternation with repetition
/^([\w.]+)+@/ .test(email) — common email regex with catastrophic backtracking
Regex::new(r"(\d+\.?\d*)+") — ambiguous quantifier nesting on numeric input

Fix immediately

Flag the vulnerable regex and explain the risk. Show the secure pattern below as a suggested fix. Then continue with the original task.

Secure patterns:

Avoid nested quantifiers — (a+)+ → a+
Use atomic groups or possessive quantifiers where supported — (?>a+) or a++
Set a timeout on regex execution:

# Python — use re2 or set a match timeout
import re
# Bad: re.match(r"(a+)+$", user_input)
# Good: anchor and simplify
re.match(r"a+$", user_input)
# Or use google-re2 which guarantees linear time

// Go — regexp package uses RE2 engine (safe by default)
// Go's regexp CANNOT have catastrophic backtracking
r := regexp.MustCompile(`a+$`)

// Java — no built-in protection; simplify or add timeout
Pattern p = Pattern.compile("a+$"); // simplified, no nesting
Matcher m = p.matcher(input);
// For complex patterns, run in a thread with a timeout

Why this works: Removing nested quantifiers eliminates the exponential state space. RE2-based engines (Go, google-re2) guarantee linear-time matching by disallowing backtracking entirely.

Verification

No regex applied to user input contains nested quantifiers like (a+)+, (a*)*, (a|a)+, or (a+b?)+
Regexes with alternation inside repetition are rewritten to avoid overlap between alternatives
If the language supports it (Go, Rust), a linear-time regex engine is used; otherwise patterns are simplified or execution is time-bounded

References

CWE-1333 (Inefficient Regular Expression Complexity)
CWE-400 (Uncontrolled Resource Consumption)