Issue #17837 has been updated by duerst (Martin D=FCrst).


sam.saffron (Sam Saffron) wrote in #note-6:

> > Or is it too difficult to detect them / the problematic patterns evolve=
 over time?
> =

> Sadly I think they are very hard to predict upfront. =


In general, yes. But for an extremely large set of regular expressions, it'=
s easy to predict that they are harmless. And some specific patterns in reg=
ular expressions are clear signs that something might go wrong.


> I do hear you though, a zero cost when no timeout is defined and very che=
ap cost when a timeout is defined seems non trivial to implement.

I very strongly suggest that this feature be voluntary, e.g. as an addition=
al flag on the regular expression.

----------------------------------------
Feature #17837: Add support for Regexp timeouts
https://bugs.ruby-lang.org/issues/17837#change-91798

* Author: sam.saffron (Sam Saffron)
* Status: Open
* Priority: Normal
----------------------------------------
### Background

ReDoS are a very common security issue. At Discourse we have seen a few thr=
ough the years. https://owasp.org/www-community/attacks/Regular_expression_=
Denial_of_Service_-_ReDoS

In a nutshell there are 100s of ways this can happen in production apps, th=
e key is for an attacker (or possibly innocent person) to supply either a p=
roblematic Regexp or a bad string to test it with.

```
/A(B|C+)+D/ =3D~ "A" + "C" * 100 + "X"
```

Having a problem Regexp somewhere in a large app is a universal constant, i=
t will happen as long as you are using Regexps. =



Currently the only feasible way of supplying a consistent safeguard is by u=
sing `Thread.raise` and managing all execution. This kind of pattern requir=
es usage of a third party implementation. There are possibly issues with jR=
uby and Truffle when taking approaches like this.

### Prior art

.NET provides a `MatchTimeout` property per: https://docs.microsoft.com/en-=
us/dotnet/api/system.text.regularexpressions.regex.matchtimeout?view=3Dnet-=
5.0

Java has nothing built in as far as I can tell: https://stackoverflow.com/q=
uestions/910740/cancelling-a-long-running-regex-match

Node has nothing built in as far as I can tell: https://stackoverflow.com/q=
uestions/38859506/cancel-regex-match-if-timeout


Golang and Rust uses RE2 which is not vulnerable to DoS by limiting feature=
s (available in Ruby RE2 gem)

```
irb(main):003:0> r =3D RE2::Regexp.new('A(B|C+)+D')
=3D> #<RE2::Regexp /A(B|C+)+D/>
irb(main):004:0> r.match("A" + "C" * 100 + "X")
=3D> nil
```

### Proposal

Implement `Regexp.timeout` which allow us to specify a global timeout for a=
ll Regexp operations in Ruby. =


Per Regexp would require massive application changes, almost all web apps w=
ould do just fine with a 1 second Regexp timeout.

If `timeout` is set to `nil` everything would work as it does today, when s=
et to second a "monitor" thread would track running regexps and time them o=
ut according to the global value.

### Alternatives =


I recommend against a "per Regexp" API as this decision is at the applicati=
on level. You want to apply it to all regular expressions in all the gems y=
ou are consuming.

I recommend against a move to RE2 at the moment as way too much would break =



### See also: =


https://people.cs.vt.edu/davisjam/downloads/publications/Davis-Dissertation=
-2020.pdf
https://levelup.gitconnected.com/the-regular-expression-denial-of-service-r=
edos-cheat-sheet-a78d0ed7d865





-- =

https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=3Dunsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>