GitHub Repository

Static analysis tool that detects and automatically fixes ReDoS vulnerabilities in Python using sre_parse AST analysis.

1 starsPython

Redos-analyzer – static ReDoS detection and auto-fix for Python

Name: Redos-analyzer – static ReDoS detection and auto-fix for Python
Availability: InStock
Author: kingkongsatan

by kingkongsatan·Apr 8, 2026·1 point·0 comments

Visit Project View on HN

AI Analysis

●●SolidBig BrainSolve My Problem

AST-level regex analysis with auto-fix beats string-based ReDoS checkers.

Strengths

•Walks Python's sre_parse AST instead of raw pattern strings
•Generates atomic group fixes with semantic equivalence validation
•Validated against top 20 PyPI packages with maintainer-confirmed issues

Weaknesses

•Python-only, no support for other languages with ReDoS risks
•Zero stars and forks suggests early adoption stage

Post Description

At 13:42 UTC on July 2, 2019, an engineer working for Cloudflare made changes to the regular ruleset that was being used by their Web Application Firewall. In under three minutes, there was an 80% drop in the amount of traffic globally. The load on all HTTP serving CPUs in their network hit 100%. It was caused by one regular expression intended to detect XSS attacks, which contained the regular expression pattern `.(?:.=.)`. This pattern included two quantifiers using `.` on the same character class.

That was the result of a production ReDoS.

I was interested to know how frequent such patterns are in Python libraries that we use everyday.