Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ReDoS #32

Merged
merged 3 commits into from Feb 12, 2021
Merged

Fix ReDoS #32

merged 3 commits into from Feb 12, 2021

Conversation

@yetingli
Copy link
Contributor

@yetingli yetingli commented Feb 10, 2021

Fix #31

Copy link
Member

@wdavidw wdavidw left a comment

2 comments:

  • could you leave commented the old regexp with a detail comment about the reason of the change
  • is this functionality well covered by unit tests, otherwise it would be safer to add some

@yetingli
Copy link
Contributor Author

@yetingli yetingli commented Feb 12, 2021

  • First of all, I want to point out that the old regexp /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\#]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/ has a cubic worst-case time complexity behavior due to overlapping capture groups ([0 +\-\#]*)(\*|\d+)?(\.)?(\*|\d+)?. And a pump string of 0 can be consumed by ([0 +\-\#]*), (\*|\d+)?, or (\*|\d+)?.
  • The solution I'm giving now is to replace the sub-regexp (\*|\d+)?(\.)?(\*|\d+)? with the sub-regexp (\*|\d+)?(?:(\.)(\*|\d+)?)?. The two are equivalent, as shown in the following two figures.
  • In addition, the performance comparison after repair, see #31 (comment)

@wdavidw wdavidw merged commit a8502e7 into adaltas:master Feb 12, 2021
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

2 participants