Skip to content

[1223] Change FormattedMessage pattern heuristic #1885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 25, 2023
Merged

[1223] Change FormattedMessage pattern heuristic #1885

merged 1 commit into from
Oct 25, 2023
+68 −18

Conversation

ppkarwasz
Copy link
Contributor

We change the order in which FormattedMessage checks the format of the provided pattern: we first check for the presence of {} placeholders and only then for java.util.Format specifiers.

This eliminates the need for a potentially exponential regular expression evalutation, which was reported by Spotbugs (#1849).

The Javadoc and documentation were improved to clarify the heuristic used by FormattedMessage.

Closes #1223.

Remark: since FormattedMessage used the same regular expression as java.util.Format, if a message uses java.util.Format specifiers, it is still vulnerable to a ReDOS.

@ppkarwasz
[1223] Change FormattedMessage pattern heuristic

Verified

This commit was signed with the committer’s verified signature.
kennytm
GPG key ID: FEF6C8051D0E013C
Verified
Learn about vigilant mode
0dfdd8e 
We change the order in which `FormattedMessage` checks the format of the
provided pattern: we first check for the presence of `{}` placeholders
and only then for `java.util.Format` specifiers.

This eliminates the need for a potentially exponential regular
expression evalutation, which was reported by Spotbugs (apache#1849).

The Javadoc and documentation were improved to clarify the heuristic
used by `FormattedMessage`.

Closes apache#1223.

Remark: since `FormattedMessage` used the **same** regular expression as
`java.util.Format`, if a message uses `java.util.Format` specifiers, it
is still vulnerable to a ReDOS.
@ppkarwasz ppkarwasz merged commit 0dfdd8e into apache:2.x Oct 25, 2023
@ppkarwasz ppkarwasz deleted the formatted-message branch October 25, 2023 10:33
@ppkarwasz
Copy link
Contributor Author

Remark: since FormattedMessage used the same regular expression as java.util.Format, if a message uses java.util.Format specifiers, it is still vulnerable to a ReDOS.

Let me rephrase that: the regular expression we were using was identical to java.util.Formatter#formatSpecifier. If Oracle does not consider that regex a vulnerability, I don't consider it a vulnerability either.

This PR just removes a "potential ReDOS" warning found by our static analysis tools.

@ppkarwasz ppkarwasz mentioned this pull request Jan 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vy vy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FormattedMessage doesn't need to use regular expressions
2 participants
@ppkarwasz @vy