Re: This is an important lesson in the testability of regular expressions
Whereas at the moment, the attackers can only DoS their entire infrastructure with bad source data on a poorly-written regex. So much better!
You write the regex so that it's written properly. So that it doesn't matter what data it's given, it can resolve it within a set time. If it can't do that, then you can' t use it anyway as it will introduce *so much* latency into the system that it turns into a DoS and becomes useless.
You're confusing "source data" (hacker controlled) with "regex expression" (Cloudflare controlled). If the regex can't deal with the source data in time, it should alert. There's a clue in that word... alert.
If it alerts on every damn page you go on that has a bit of Javascript, it's useless anyway but at least it didn't bring half the globe down with it.
And then realise that maybe, just maybe, regex hunting is no better or different to AV signatures - which also exhibit this same problem.
If a malicious attacker can control the data in the page to the point that they can make your regexs timeout, then they can do a lot worse anyway. Hell, "give up" and return an error in that instance. You'll still have *much less* impact than taking down your entire CDN because of a multitude of over-running regexs from a handful of sites. You'll just have a handful of sites that don't work, rather than an entire international company service.