Regex Safety Analyzer
Flag catastrophic-backtracking shapes in regex patterns and probe with synthetic worst-case inputs.
High risk
This pattern has shapes known to cause exponential backtracking, or it slowed measurably on a synthetic worst case.
Findings (1)
Nested quantifier
A quantifier inside a group that is itself quantified is the canonical ReDoS pattern.
(a+)+Synthetic worst-case probes
| Input | Time (ms) | Matched |
|---|---|---|
| aaaaaaaa…(×10)! | 0.08 | yes |
| aaaaaaaa…(×20)! | 0.04 | yes |
| aaaaaaaa…(×25)! | 0.00 | yes |
| aaaaaaaa…(×28)! | 0.00 | yes |
What we flag
- Nested quantifiers —
(a+)+,(a*)* - Alternation with overlap inside a quantifier —
(a|a)* - Quantifier on a group containing a quantifier — classic ReDoS pattern
- Unbounded greedy followed by an anchored suffix — slow-match risk
- Excessive lookbehinds / lookaheads
Caveats
Heuristic only. We catch the obvious shapes that destroy real services; we don't prove safety. For high-stakes inputs, run the pattern against pathological strings or use a non-backtracking engine (RE2 / Hyperscan).
You might also like
- Find & ReplaceBulk find-and-replace over text with optional regex, case sensitivity, and whole-word matching.
- Regex Cheat Sheet & BuilderBrowse regex tokens, click to build, and try the result against a sample — all in one place.
- Regex TesterTest JavaScript regular expressions with live match highlighting and capture groups.
- .env File ParserParse a .env file into JSON, with quoted-value and export support — and warn about anything fishy.