Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ReDoS #32

Merged
merged 3 commits into from Feb 12, 2021
Merged

Fix ReDoS #32

merged 3 commits into from Feb 12, 2021

Conversation

yetingli
Copy link
Contributor

Fix #31

wdavidw
wdavidw reviewed Feb 10, 2021
View reviewed changes
Copy link
Member

@wdavidw wdavidw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 comments:

  • could you leave commented the old regexp with a detail comment about the reason of the change
  • is this functionality well covered by unit tests, otherwise it would be safer to add some

@yetingli
Copy link
Contributor Author

  • First of all, I want to point out that the old regexp /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\#]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/ has a cubic worst-case time complexity behavior due to overlapping capture groups ([0 +\-\#]*)(\*|\d+)?(\.)?(\*|\d+)?. And a pump string of 0 can be consumed by ([0 +\-\#]*), (\*|\d+)?, or (\*|\d+)?.
  • The solution I'm giving now is to replace the sub-regexp (\*|\d+)?(\.)?(\*|\d+)? with the sub-regexp (\*|\d+)?(?:(\.)(\*|\d+)?)?. The two are equivalent, as shown in the following two figures.

@wdavidw wdavidw merged commit a8502e7 into adaltas:master Feb 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wdavidw wdavidw wdavidw left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ReDoS in printf
2 participants
@yetingli @wdavidw