Re: This is an important lesson in the testability of regular expressions
Whereas at the moment, the attackers can only DoS their entire infrastructure with bad source data on a poorly-written regex. So much better!
You write the regex so that it's written properly. So that it doesn't matter what data it's given, it can resolve it within a set time. If it can't do that, then you can' t use it anyway as it will introduce *so much* latency into the system that it turns into a DoS and becomes useless.
You're confusing "source data" (hacker controlled) with "regex expression" (Cloudflare controlled). If the regex can't deal with the source data in time, it should alert. There's a clue in that word... alert.
And then realise that maybe, just maybe, regex hunting is no better or different to AV signatures - which also exhibit this same problem.
If a malicious attacker can control the data in the page to the point that they can make your regexs timeout, then they can do a lot worse anyway. Hell, "give up" and return an error in that instance. You'll still have *much less* impact than taking down your entire CDN because of a multitude of over-running regexs from a handful of sites. You'll just have a handful of sites that don't work, rather than an entire international company service.