-
Enhancement
-
Resolution: Duplicate
-
P4
-
None
-
17
A DESCRIPTION OF THE PROBLEM :
Summary
-------
Prevent the "regular expression denial of service" attakcs
(https://en.wikipedia.org/wiki/ReDoS) in a simple, backward compatible,
and cheap to implement way.
By allowing user to specify a callback invoked by the regex
engine frequently (ion every execution step), and letting this callback to
cancel the regex execution.
Description
-----------
ReDoS is a serious problem in general, and of the Java platform in particular.
Alternative regex engines, like https://github.com/google/re2j, do not support
all features of the `java.util.regex.Pattern` so can not serve as a drop-in replacement.
A simple approach people use to prevent ReDoS for `java.util.regex.Pattern`
is to rely on the fact that the engine frequently calls `charAt`
method of the input `CharSequence`:
https://www.exratione.com/2017/06/preventing-unbounded-regular-expression-operations-in-java/
In the `charAt` implementation the user can check the time expired,
or simply count the invocations and abort execution after certain number
of invocations. In the counter approach we treat `charAt` as a proxy
for the number of regex execution steps.
The problem is that this approach relies on the engine internals. It will
break if tomorrow the engine engine, for example, will operate
on some array where the input was copied, and thus
will stop invoking the overriden `charAt`.
Let's introduce official support for this approach - extend the public API
to allow user to pass some `onStep` callback, that will be invoked by the regex
engine on every execution step.
See also: https://openjdk.java.net/jeps/8260688
Summary
-------
Prevent the "regular expression denial of service" attakcs
(https://en.wikipedia.org/wiki/ReDoS) in a simple, backward compatible,
and cheap to implement way.
By allowing user to specify a callback invoked by the regex
engine frequently (ion every execution step), and letting this callback to
cancel the regex execution.
Description
-----------
ReDoS is a serious problem in general, and of the Java platform in particular.
Alternative regex engines, like https://github.com/google/re2j, do not support
all features of the `java.util.regex.Pattern` so can not serve as a drop-in replacement.
A simple approach people use to prevent ReDoS for `java.util.regex.Pattern`
is to rely on the fact that the engine frequently calls `charAt`
method of the input `CharSequence`:
https://www.exratione.com/2017/06/preventing-unbounded-regular-expression-operations-in-java/
In the `charAt` implementation the user can check the time expired,
or simply count the invocations and abort execution after certain number
of invocations. In the counter approach we treat `charAt` as a proxy
for the number of regex execution steps.
The problem is that this approach relies on the engine internals. It will
break if tomorrow the engine engine, for example, will operate
on some array where the input was copied, and thus
will stop invoking the overriden `charAt`.
Let's introduce official support for this approach - extend the public API
to allow user to pass some `onStep` callback, that will be invoked by the regex
engine on every execution step.
See also: https://openjdk.java.net/jeps/8260688
- duplicates
-
JDK-8260688 Predictable regex performance
-
- Draft
-