Skip to content
DevMeme
3653 of 7435
Regex Review By Trust Fall
CodeReviews Post #3991, on Nov 30, 2021 in TG

Regex Review By Trust Fall

Why is this CodeReviews meme funny?

Level 1: The Magic Password

It is funny because the code looks like a secret spell made of dots, brackets, and slashes. The reviewer is basically saying, "I do not understand the spell, but I trust you not to blow up the kitchen." It is like letting a friend cook from a recipe written entirely in abbreviations and deciding dinner is probably fine because they seem confident.

Level 2: Pattern Matching Panic

Regular expressions are patterns for matching text. In Python, the re module lets code ask questions like "does this string match this pattern?" or "extract the part that looks like a number." Symbols such as +, ?, [ ], ^, and $ have special meanings, so a regex can become very compact very quickly.

For example, a simple pattern like this checks for one or more digits:

import re

pattern = r"^[0-9]+$"

The ^ means "start of the string," [0-9] means "a digit," + means "one or more," and $ means "end of the string." That is manageable. But when a pattern tries to validate something like an email address, it can grow into a wall of tiny symbols. A junior developer reviewing it may understand each piece separately and still not feel confident that the whole thing handles real input correctly.

That is why the visible comment lands. In a PullRequest, reviewers are supposed to check whether the code is correct, readable, tested, and maintainable. With regex, the honest review is often: "I can tell this is trying to do the right thing, but I need tests before I believe it." Trust is not a substitute for examples like valid emails, invalid emails, uppercase input, missing domains, long suffixes, and strange punctuation.

Level 3: LGTM By Faith

The joke is a perfect CodeReview anti-pattern because the reviewer is not approving clarity; they are approving trust. The diff visibly imports Python's re module and adds an email_regex, then the reviewer effectively admits that the pattern is dense enough to bypass ordinary human verification. That is painfully familiar. A pull request is supposed to make changes legible to another engineer. Regex often turns that process into staring at punctuation until the punctuation wins.

The problem is not that regular expressions are bad. They are excellent for compact pattern matching: token extraction, input filtering, log parsing, quick validation, and text cleanup. The problem is that compactness and readability pull in opposite directions. A ten-character mistake can broaden validation, reject valid users, enable bypasses, or create performance trouble if the engine backtracks through a pathological input. In a PR, the danger hides inside a line that looks too small to deserve a full design discussion. Classic software tragedy: the riskiest part of the change is the part everyone wants to scroll past.

Email validation is especially cursed because teams often want something deceptively simple: "make sure this is an email." That requirement sounds like a yes/no check, but real systems usually need a layered answer. Is the string shaped like an email? Is the domain plausible? Does the user control the mailbox? Should weird-but-valid addresses be accepted? Should disposable providers be blocked? A regex can answer only one slice of that question, and if nobody writes down which slice, the reviewer is left blessing an incantation and hoping QA remembered the edge cases.

Level 4: Automata With Trust Issues

The image shows a GitHub-style pull request diff adding Python regex code, followed by the reviewer surrendering:

i'm gonna trust you with this one

That surrender is funnier when you remember that "regex" started as a clean formal idea. A regular expression, in the theoretical sense, describes a regular language: a set of strings recognizable by a finite automaton. In that world, the machine has a limited number of states, reads characters one at a time, and either accepts or rejects the input. Elegant, crisp, mathematically respectable. Then production programmers arrived, added engine-specific syntax, captures, lookarounds, Unicode quirks, greedy and lazy quantifiers, backtracking behavior, and sometimes features that are not regular in the formal-language sense anymore. Naturally, we still call the whole swamp "regex" and pretend code review can happen in a comment box.

The likely email-validation target makes the trust fall worse. Email addresses are not just "letters, maybe a dot, then @, then domain, then suffix." They involve syntax rules, domain rules, deliverability rules, internationalization, quoted local parts, provider-specific conventions, and product decisions about what the application should accept. A compact pattern can look rigorous while quietly encoding a tiny subset of reality. The apparent precision is part of the trap: anchors like ^ and $, classes like [a-z0-9], and quantifiers like {2,3} make the expression feel mathematically sealed, even when the business requirement is underspecified.

The senior-review pain is that regex correctness is rarely obvious by inspection. You need to know the engine, the flags, the input normalization, the threat model, and the cases intentionally excluded. Otherwise the review becomes a social protocol: did the author test it, do we trust their domain knowledge, and how bad is the blast radius if this rejects a real user or accepts malicious input? Formal languages gave us automata; product deadlines gave us "LGTM, I guess."

Description

The image is a cropped GitHub-style pull request diff with a green added-code block at the top and an inline review comment below. The visible code imports Python's `re` module and adds an `email_regex` raw string that appears to match lowercase email addresses with character classes, an optional dot or underscore, an at sign, a word-domain segment, a dot, and a 2-to-3-character suffix. A reviewer comment in the thread says, "i'm gonna trust you with this one," followed by a reply field and a "Resolve conversation" button. The joke is that regular expressions, especially email regexes, often become so dense that code review turns from verification into social trust.

Comments

27
Anonymous ★ Top Pick Every email regex review eventually reaches the same approval state: LGTM, pending formal proof by someone else's outage.
  1. Anonymous ★ Top Pick

    Every email regex review eventually reaches the same approval state: LGTM, pending formal proof by someone else's outage.

  2. Deleted Account 4y

    Dashes would not work(idk if they are in actual email addresses)

  3. @ivan_orange 4y

    Many things won't work that's awful regex for email

  4. @affirvega 4y

    it matches only one _, so email [email protected] won't work

    1. @TERASKULL 4y

      we don't need that many users anyway, come back when you have a NORMAL email

      1. @affirvega 4y

        I'm just gonna register on 20minutemail.com email for that

  5. @Rumbatutumba 4y

    you can always verify on stakO

  6. @affirvega 4y

    How to verify email address 1. You don't use regex 2. Just try to send a message. If they registered - great, if not - autodelete account

    1. @ZgGPuo8dZef58K6hxxGVj3Z2 4y

      Lol I can see ddos

      1. @affirvega 4y

        Just the same with the valid email addresses?

        1. @ZgGPuo8dZef58K6hxxGVj3Z2 4y

          Nvm I am on the go. I was already distracted by my email not working with that regex

      2. @affirvega 4y

        Or do you mean I should remove autodeletion?

  7. @ivan_orange 4y

    I usually use [email protected], so I know who sent me spam or sold/leaked my data (you can put anything after "+" in Gmail [email protected] and [email protected] are same mailboxes) And it won't work here because of +

    1. @paul_thunder 4y

      Nice hint Going to try this

    2. @MMageGangsta 4y

      tnx

    3. @affirvega 4y

      Thanks!

    4. @dsmagikswsa 4y

      Thankyou sir. That’s cool!

    5. @MrXLR8 4y

      Thanks. What resources already leaked your data?

  8. @kitbot256 4y

    this is an extremely stupid regex. Would not work for for [email protected], or for [email protected]...

  9. @Araalith 4y

    Also this regex doesnt work for something like [email protected]

  10. @igordata 4y

    dot is optional, btw. 2-3 for domain zone is obsolete, so... The one and only way to check if that's a valid email address is that there have to be something before and after @. Let's say .+@.+ (valid != existing)

  11. @asm3r 4y

    RFC 822 https://stackoverflow.com/questions/20771794/mailrfc822address-regex looks much better

  12. @ZgGPuo8dZef58K6hxxGVj3Z2 4y

    [email protected]

  13. @ZgGPuo8dZef58K6hxxGVj3Z2 4y

    And my password is nicknameyear /s

    1. @sylfn 4y

      with space and slash-s appended?

      1. @ZgGPuo8dZef58K6hxxGVj3Z2 4y

        Nope just everything together

  14. @s2504s 4y

    If you had some issue and solved this issue by regex, so now you have two issues

Use J and K for navigation