Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8268854

Simple ReDoS prevention

XMLWordPrintable

      A DESCRIPTION OF THE PROBLEM :
      Summary
      -------

      Prevent the "regular expression denial of service" attakcs
      (https://en.wikipedia.org/wiki/ReDoS) in a simple, backward compatible,
      and cheap to implement way.

      By allowing user to specify a callback invoked by the regex
      engine frequently (ion every execution step), and letting this callback to
      cancel the regex execution.

      Description
      -----------

      ReDoS is a serious problem in general, and of the Java platform in particular.

      Alternative regex engines, like https://github.com/google/re2j, do not support
      all features of the `java.util.regex.Pattern` so can not serve as a drop-in replacement.

      A simple approach people use to prevent ReDoS for `java.util.regex.Pattern`
       is to rely on the fact that the engine frequently calls `charAt`
      method of the input `CharSequence`:
      https://www.exratione.com/2017/06/preventing-unbounded-regular-expression-operations-in-java/

      In the `charAt` implementation the user can check the time expired,
      or simply count the invocations and abort execution after certain number
      of invocations. In the counter approach we treat `charAt` as a proxy
      for the number of regex execution steps.

      The problem is that this approach relies on the engine internals. It will
      break if tomorrow the engine engine, for example, will operate
      on some array where the input was copied, and thus
      will stop invoking the overriden `charAt`.

      Let's introduce official support for this approach - extend the public API
      to allow user to pass some `onStep` callback, that will be invoked by the regex
      engine on every execution step.

      See also: https://openjdk.java.net/jeps/8260688


            tongwan Andrew Wang
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: