Example - 1

This example attempts to check if an input string is a "sentence" [REF-1164].

var test_string = "Bad characters: $@#";var bad_pattern  = /^(\w+\s?)*$/i;var result = test_string.search(bad_pattern);

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases.To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

var test_string = "Bad characters: $@#";var good_pattern  = /^((?=(\w+))\2\s?)*$/i;var result = test_string.search(good_pattern);

Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.

Example - 2

This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].

my $test_string = "Bad characters: \$\@\#";my $bdrslt = $test_string;$bdrslt =~ /^(\w+\s?)*$/i;

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases.To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

my $test_string = "Bad characters: \$\@\#";my $gdrslt = $test_string;$gdrslt =~ /^((?=(\w+))\2\s?)*$/i;

Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.