regexSuperLinearBacktracking

Reports regular expressions with exponential or polynomial backtracking.

✅ This rule is included in the ts logical and logicalStrict presets.

Reports regular expressions that can cause exponential or polynomial backtracking. These patterns can be exploited to cause Regular Expression Denial of Service (ReDoS) attacks, where a malicious input string causes the regex engine to take an extremely long time to process.

Examples

Self-Referential Quantifiers

When a quantifier can reach itself through a parent quantifier, it can cause exponential backtracking.

❌ Incorrect

const pattern = /(?:a+)+/;

const pattern = /b(?:a+)+b/;

✅ Correct

const pattern = /(?:a)+/;

const pattern = /ba+b/;

Trading Quantifiers

When two quantifiers can exchange characters, it causes polynomial backtracking.

❌ Incorrect

const pattern = /\ba+a+$/;

const pattern = /\b\w+a\w+$/;

✅ Correct

const pattern = /\ba+$/;

const pattern = /\b\w+a$/;

RegExp Constructor

The rule also applies to patterns created with the RegExp constructor.

❌ Incorrect

const pattern = new RegExp("(?:a+)+");

✅ Correct

const pattern = new RegExp("(?:a)+");

Options

This rule is not configurable.

When Not To Use It

If you are confident that your regular expressions will only be used with trusted input that cannot be manipulated by attackers, you might consider disabling this rule.

Further Reading

• MDN: Regular expressions
• OWASP: Regular expression Denial of Service - ReDoS

Equivalents in Other Linters

• ESLint: regexp/no-super-linear-backtracking