In the WikibaseQualityConstraints extension, we need to check user-provided input against user-provided regexes, which is generally unsafe without some sort of protection. (See the parent task for some more details.)
Currently, this is implemented using Shellbox (with a fairly short timeout). This is already an improvement over the previous implementation, which used the Wikidata Query Service. However, both of these solutions still add network overhead to the check, making it one of the slowest constraint checks.
The majority of user-provided regexes we’re interested in (77%) do not contain any parentheses, which means they cannot contain any groups and their star height must be 0 or 1. Unless I’m mistaken, this should mean we can safely evaluate them via preg_match (directly in the main PHP process, without Shellbox), and the evaluation time should not explode.
Are there any objections to this? Does anyone have an example query that causes exponential runtime in PCRE without containing parentheses, or are there other security problems when checking user-provided regexes besides runtime concerns?