[codethief]

> It turned out it was because of a bad regex in the grammarly extension that caused the page to hang if the domain name was more than about 100 characters.

Just today I debugged a regex that would DoS our backend whenever the user enters the wrong thing in a form.

Now I'm reading up on regex engines: https://swtch.com/%7Ersc/regexp/regexp1.html

[dev_slash_null]

Just in case you haven't seen the postmortem of the Cloudflare outage which also was caused by a regex based DoS: https://blog.cloudflare.com/details-of-the-cloudflare-outage...

[radiojosh]

That was a great read, but there was one thing I didn't understand: Why would the regex string have "." twice in a row? What does ".." find that "." doesn't find? Does that just mean "at least two characters"?

[rjbwork]

It means specifically 2 characters, and is equivalent to .{2}

..+ or ...* are ways of writing "at least two characters".

[bn-usd-mistake]

A single `.` matches exactly one character. `..` matches exactly two characters (not more, not less).

[beaugunderson]

I had a ReDoS issue at a prior company many years ago; at least they're lintable now:

  https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-super-linear-move.html
  https://www.npmjs.com/package/eslint-plugin-redos/v/1.2.0