http://qs321.pair.com?node_id=11137259


in reply to Is it safe to use external strings for regexes?

Depending on how nasty your users are, allowing arbitrary regular expressions is an unwise choice. The following regex is valid but will use up lots of CPU:

"aaaaaaaaaaaaaaaaaaaaaaaaaaaaa" =~ /a*a*a*b/

If you can come up with a whitelist of allowed regexes, that would improve things, or maybe consider running the regex search as a time-limited subprocess.

Replies are listed 'Best First'.
Re^2: Is it safe to use external strings for regexes?
by stevieb (Canon) on Oct 06, 2021 at 13:44 UTC

    Thanks Corion, that's a good point. The regexes will only be added/edited by seasoned programmers, but I do know that many people who think they know regexes really don't.

    I can definitely add in some checks in conjunction with our existing review processes, but I mostly like the idea of time-limited sub processes to handle the actual work (which can alert if something takes too long).

      It was discussed here in Cloudflare blames PCRE for outage and a blog at cloudflare but they found out a couple years ago even "seasoned programmers" can shoot themselves in the foot as well.

      The cake is a lie.
      The cake is a lie.
      The cake is a lie.

        even "seasoned programmers" can shoot themselves in the foot as well.

        Yep, been there, done that myself once or twice. It's especially easy to shoot one's self in the foot when carrying a fully loaded automatic with one hand while not having trigger discipline (ie. a complex regex).