Regexploit

1.0.0 · active · verified Thu Apr 16

Regexploit is a Python library designed to identify Regular Expression Denial of Service (ReDoS) vulnerabilities in regular expressions. It analyzes a given regex string to determine if it can be exploited by crafted input, potentially leading to excessive backtracking and application slowdowns or crashes. The current version is 1.0.0, and releases appear to be infrequent, focusing on stable major versions.

Common errors

```
ModuleNotFoundError: No module named 'regexploit'
```
cause The 'regexploit' package is not installed in your current Python environment.

fix Run `pip install regexploit` to install the library.
```
_sre.error: missing ), unterminated subpattern at position X (or similar regex syntax errors)
```
cause The regular expression string provided to `Regexploit` has a syntax error that Python's `re` engine cannot parse.

fix Review and correct the regex pattern for any syntax errors (e.g., unclosed parentheses, invalid escape sequences). Using raw strings (e.g., `r"my(regex)"`) is highly recommended to avoid issues with backslashes.
```
TypeError: Regexploit() missing 1 required positional argument: 'regex_string'
```
cause You are attempting to instantiate `Regexploit` without providing the mandatory regex string argument.

fix Pass the regex string as the first argument to the constructor, e.g., `Regexploit(r"your_pattern_here")`.

Warnings

gotcha Analyzing complex or very long regexes can be computationally intensive and time-consuming. By default, Regexploit does not impose a timeout.
Fix: Always pass a `timeout` argument (in seconds) to the `Regexploit` constructor, e.g., `Regexploit(regex, timeout=10)`. This prevents the check from running indefinitely.
gotcha Regexploit expects regex strings that are valid according to Python's `re` module syntax. Invalid regex patterns will cause `_sre.error` or other exceptions.
Fix: Ensure your regex string is syntactically correct and properly escaped (e.g., use raw strings `r"..."`) before passing it to `Regexploit`.
gotcha While powerful, Regexploit is a static analysis tool that identifies *potential* ReDoS vulnerabilities. It may not detect all possible exploitation vectors, and false negatives are possible.
Fix: Treat Regexploit's results as strong indicators rather than definitive proofs. For critical applications, manual security review and dynamic testing are still recommended alongside automated tools.

Install

pip install regexploit Install stable version

Imports

Regexploit

from regexploit.regexploit import Regexploit

Quickstart

This quickstart demonstrates how to instantiate the Regexploit class with a regex pattern and check it for ReDoS vulnerabilities. It prints detailed findings if a vulnerability is detected, using the `to_dict()` method for structured output.

from regexploit.regexploit import Regexploit
import json

# Define a potentially vulnerable regex pattern
regex_pattern = r"^(a+)+$"

# Initialize the Regexploit engine with the pattern
# It's recommended to set a timeout to prevent excessively long analysis
exploit = Regexploit(regex_pattern, timeout=5)

# Check the regex for ReDoS vulnerabilities
result = exploit.check()

# Process and display the results
if result.is_vulnerable():
    print(f"The regex '{regex_pattern}' is potentially vulnerable to ReDoS.")
    print("Vulnerability Details:")
    print(json.dumps(result.to_dict(), indent=2))
else:
    print(f"The regex '{regex_pattern}' appears to be safe from common ReDoS patterns.")

view raw JSON →