== Why is this an issue?

Far from being quick and efficient, regular expression evaluation can lead to an exponential number of evaluation paths in the worst case. Use a vulnerable regular expression, and with the right inputs it could bring your system to its knees, resulting in a Denial of Service.


Specifically, a vulnerable regex is one that contains a repeated group (E.G. ``++(x)*++`` ), and inside that group there is either further repetition or overlapping alternation (E.G. ``++ab|aba++`` ).


=== Noncompliant code example

[source,text]
----
public void testInput(String input) {
  input.replaceAll("(x+)*", ""); // Noncompliant; group is repeated and contains repetition
  input.replaceAll("(ab|aba)+", ""); // Noncompliant; group is repeated and contains overlapping alternation
}
----