-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
question: should SO outage regex be matched by regexploit #2
Comments
So this is a weird one. The quadratic behaviour doesn't appear if you use I guess I should make clear that Regexploit will have some false negatives as it's mostly looking for ambiguous patterns (and exponential regexes) which seem to be common mistakes. For starters, Regexploit is currently only reporting ReDoS which is cubic or worse to avoid false positives as quadratic regexes are everywhere. In most cases I've seen, exponential ReDoS causes problems after tens of characters, cubic ReDoS after a few thousand characters, but quadratic requires tens of thousands of characters which in many cases is prevented by other application or protocol limits. I should probably add a flag to report quadratic ReDoS, but the heuristic check for now would still miss SO's issue. |
Thanks for the question by the way |
Should we expect
regexploit
to warn about the kind of Regular Expression Backtracking which caused an outage on StackOverflow (^[\s\u200c]+|[\s\u200c]+$
) or is it out of scope of this tool?The text was updated successfully, but these errors were encountered: