Let me show you why RegEx is a naughty word in our office

Say you’re building a music app and you want to validate song titles.

We need to match words, numbers, and spaces.

So you give the regex a few tries and come up with the following:

testing it on regex101.com

Maybe it’s not the perfect regex (hint: it isn’t).

But hey, it works.

I tested a few song titles and yeah, ready to push to production, woohoo! 🎉

Until a Britney Spears fan plays a joke on your app and enters the following song title as input:

Catastrophic backtracking.

Even if you have no clue what that is, sure sounds scary. And it’s in red too!

Curious to see what it means when you have this little RegEx gem in your Node.js code?

Node.js RegEx DoS attack

A relatively small input string was able to block the Node.js event-loop for about 6 seconds, during which time it consumed 99% cpu power.

Not exactly what you want to do on a single-threaded web application server.