v0.1.2 - False Positive Fix

Bug Fixes

• Fixed false positives: Simple patterns like ^a+ were incorrectly flagged as vulnerable

  • Fixed epsilon elimination in OrderedNFA to properly track intermediate states

• Improved detection: Hybrid checker now runs both automaton and fuzz checkers

  • Takes the more severe result, ensuring nested quantifier patterns like (a+)+ are caught
  • The automaton checker has limitations with certain patterns due to epsilon elimination

Test Results

All 532 tests pass.

Examples

# Now correctly identified as SAFE
redoctor '^a+'
# SAFE: ^a+

# Correctly identified as VULNERABLE  
redoctor '^(a+)+$'
# VULNERABLE: ^(a+)+$
#   Complexity: O(2^n)

v0.1.1 - License Clarification

Changes

• License Update: Clarified license throughout the project as BSL-1.1 (Business Source License 1.1)

  • Added prominent license notice to README
  • Updated license badge
  • Fixed contributing docs
  • Updated package metadata

• Documentation: Added comprehensive documentation

  • API reference
  • CLI guide
  • Getting started guide
  • How it works explanation
  • ReDoS patterns guide

License

This project is licensed under BSL-1.1:

• ✅ Free for non-commercial use
• 💼 Commercial production use requires a paid license
• 🔓 Converts to MIT on January 9, 2031

ReDoctor v0.1.0

Initial release of ReDoctor - A Python ReDoS vulnerability checker.

Features

• Static analysis using automata-based vulnerability detection
• Fuzzing-based testing for comprehensive coverage
• CLI tool for checking regex patterns
• Python API for integration into your projects

Installation

pip install redoctor

Usage

redoctor '^(a+)+$'