org.sonar.l10n.py.rules.python.S5857.html Maven / Gradle / Ivy
Why is this an issue?
Using reluctant quantifiers (also known as lazy or non-greedy quantifiers) in patterns can often lead to needless backtracking, making the regex
needlessly inefficient and potentially vulnerable to catastrophic backtracking.
Particularly when using .*?
or .+?
to match anything up to some terminating character, it is usually a better idea to
instead use a greedily or quantified negated character class containing the terminating character. For example <.+?>
should be
replaced with <[^>]*>
or <[^>]+>
.
Noncompliant code example
r'<.+?>'
r'".*?"'
Compliant solution
r'<[^>]+>'
r'"[^"]*"'
Exceptions
This rule only applies in cases where the reluctant quantifier can easily be replaced with a negated character class. That means the repetition has
to be terminated by a single character or character class. Patterns such as the following, where the alternatives without reluctant quantifiers are
more complicated, are therefore not subject to this rule:
/<!--.*?-->/
-/\*.*?\*/-