I was curious about the catastrophic backtracking mentioned in https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
The change is to remove a regex /\s*,\s*/ and replace it with simpler procedural processing. But this regex is pretty simple. It doesn’t seem like the ones that are used as examples in the articles on evil regexes that I’ve seen (for example, it doesn’t have obvious alternation where the regex engine has to choose how to match a character to part of the regex).
Is there really a pattern that would cause catastrophic backtracking with this simple regex?