-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix possible RegexMatchTimeoutException #1525
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @mus65,
Thanks for the contribution.
The timeout is a security requirement here. Depending on where the library is used, attackers could inject an extremely long path to DDoS a service if there was no timeout.
Instead of removing the timeout, I encourage you to explore the following route:
- replace the regex by string operations (index of, substring, etc)
- remove captures (if not necessary)
- reduce back-propagation.
e3ce8ce
to
3df0b7a
Compare
3df0b7a
to
0a19160
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the update, here are a few recommendations
This comment was marked as outdated.
This comment was marked as outdated.
@microsoft-github-policy-service agree company="TIS GmbH" |
0a19160
to
a99baf2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for making the changes
@MaggieKimani1 for final review and merge |
6bda890 introduced a Timeout on RegEx compilation. We hit this timeout a few times since this change.
Removed the timeout so it uses the default like before.
Stacktrace: