Fix regex which has exponential degree of ambiguity #609
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The Regex changed suffers from an exponential degree of ambiguity.
As a result it is trivial to provide an input string which takes an incredibly long time to match (due to exponential growth by length of input string).
Related: https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
Here's an example of how to show this with code.
Tested on Java 8 which exhibits the issue. Tested on Java 11 which did not present the issue, some research online suggests that Java 11 featured some improvements to try to mitigate this. Either way, since this is a collection of patterns which are language agnostic we should probably not support patterns like this.
Some figures from running locally:
Match times are fixed by the replacement regex:
Motivation and Context
I ran this library against all of the patterns within Recog, only one showed an exponential degree of ambiguity so I am fixing it.
How Has This Been Tested?
Functional:
Tested with java code shown above to prove out that the new regex does not exhibit this issue.
Regression:
The existing example test case for this regex passes
Types of changes
Checklist: