> ps: Is there a way to prove the output of complex regular expressions?
It's not really clear what you mean here.
Maybe you mean "if the input matches this regex, then it can't be used for command injection"? Then you'd just need a proof that something matching that regex can't escape the intended context in the code you're generating. That's fairly trivial if you have a regex describing all escape sequences, for instance.
If they're not really regular expressions, then the answer is more complicated but still generally yes.
It's not really clear what you mean here.
Maybe you mean "if the input matches this regex, then it can't be used for command injection"? Then you'd just need a proof that something matching that regex can't escape the intended context in the code you're generating. That's fairly trivial if you have a regex describing all escape sequences, for instance.
If they're not really regular expressions, then the answer is more complicated but still generally yes.