1. 1
  1. 2

    Once I became aware of the possibility of catastrophic regexes (what the article terms “ReDoS”) I started seeing them in the real world more often. Two examples that come to mind:

    Walmart.com’s search had a multi-hour brownout because of a bad regex that was triggered by user input. This was complicated by a load balancer health check that effectively didn’t work. The load balancer required 3 failures to mark a backend unhealthy, but the “backend” was an nginx process round robining to multiple node.js processes. So when one node process tanked you were still very unlikely to get 3 failures from nginx in a row.

    And that’s why health checking it alot more complicated topic than most people know.

    Hipchat used to lock up on me frequently because they had a “isURL” function that used a bad regex. I’d have to have an admin delete the message. I ended up editing my local copy of app to stub out isURL to just return false.