Fix Catastophic Backtracking for Indirect Reference #509

jpdakran · 2022-02-01T16:27:08Z

Problem

I've noticed that there is a hang when running detect-secrets.
This is due to the regex that the Indirect-Reference filter utilizes.
The problem here is catastrophic backtracking. This occurs when we are trying to match a line that is typically more than 25k characters against the regex.

Add conditions on when to run the regex for a line - 1k characters or less (or some agreed up length)
Update the regex

I resorted to option 1. The intention of the heuristic should be for short and simple lines.

detect_secrets/filters/heuristic.py

…ophic_backtracking

…1k char since that better suits the intention of the heuristic

domanchi · 2022-02-05T00:22:54Z

detect_secrets/filters/heuristic.py

@@ -165,6 +165,8 @@ def is_indirect_reference(line: str) -> bool:

        secret = request.headers['apikey']
    """
+    if len(line) > 1000:


@jpdakran : we should document design rationales in code to assist future developers in understanding the codebase.

Understood. Please see #516 for update.

Update regex to avoid catastrophic backtracking

8a5764c

jpdakran requested review from KevinHock and calvinli February 1, 2022 16:27

calvinli reviewed Feb 2, 2022

View reviewed changes

detect_secrets/filters/heuristic.py Outdated Show resolved Hide resolved

jpdakran added 2 commits February 2, 2022 13:07

Merge remote-tracking branch 'origin/master' into jdakran_fix_catastr…

4ad4b69

…ophic_backtracking

Keep regex the same. Only run heuristic for lines that are less than …

f0351f2

…1k char since that better suits the intention of the heuristic

jpdakran requested a review from calvinli February 2, 2022 22:35

calvinli approved these changes Feb 2, 2022

View reviewed changes

jpdakran merged commit af04c48 into master Feb 2, 2022

domanchi reviewed Feb 5, 2022

View reviewed changes

jpdakran deleted the jdakran_fix_catastrophic_backtracking branch February 11, 2022 21:19