This is the regular expression that caused all Cloudflare servers to use 100% CPU and thereby
cause a 27-minute outage:
(?:(?:\"|'|\]|\}|\\|\d|(?:nan|infinity|true|false|null|undefined|symbo
+l|math)|\`|\-|\+)+[)]*;?((?:\s|-|~|!|{}|\|\||\+)*.*(?:.*=.*)))
The last part of the regex is odd:
.*(?:.*=.*)
The last grouping does not do anything useful: it is not followed by a quantifier, nor does it capture. It can be simplified to
.*=.*
or to some variation thereof. But this is not how the regex discussion ends in the blog post:
But laziness isn’t the total solution to this backtracking behaviour. Changing the catastrophic example .*.*=.*; to .*?.*?=.*?; doesn’t change its run time at all. x=x still takes 555 steps and x= followed by 20 x’s still takes 5,353 steps.
The only real solution, short of fully re-writing the pattern to be more specific, is to move away from a regular expression engine with this backtracking mechanism. Which we are doing within the next few weeks.
I am guessing this is politically driven: Some people at Cloudflare want to use Rust and this snafu is a convenient excuse.
Another angle to consider is that of personnel. The postmortem does not dwell on the fact that this regular expression made it through review. Meaning that not only the person who wrote the regular expression was unaware of the backtracking potential of the above, but neither did the reviewer.