Is std::regex constructor safe?What are the rules for calling the superclass constructor?How to concatenate a std::string and an int?What's the best way to trim std::string?Can I call a constructor from another constructor (do constructor chaining) in C++?How to convert std::string to lower case?How to convert a std::string to const char* or char*?std::wstring VS std::stringWhy is “using namespace std” considered bad practice?Calling dynamically allocated class' copy constructor inside a copy constructor?Can you prevent std::regex from throwing exception on invalid expressions?
Return the Closest Prime Number
How to check is there any negative term in a large list?
What happens if you roll doubles 3 times then land on "Go to jail?"
How do I find the solutions of the following equation?
Would a high gravity rocky planet be guaranteed to have an atmosphere?
What is the difference between "behavior" and "behaviour"?
Why didn't Theresa May consult with Parliament before negotiating a deal with the EU?
What is paid subscription needed for in Mortal Kombat 11?
Is expanding the research of a group into machine learning as a PhD student risky?
How long to clear the 'suck zone' of a turbofan after start is initiated?
How do I extract a value from a time formatted value in excel?
Opposite of a diet
Why Were Madagascar and New Zealand Discovered So Late?
Is there a good way to store credentials outside of a password manager?
Escape a backup date in a file name
How does buying out courses with grant money work?
Energy of the particles in the particle accelerator
How to pronounce the slash sign
Class Action - which options I have?
What is the intuitive meaning of having a linear relationship between the logs of two variables?
Integer addition + constant, is it a group?
Where does the Z80 processor start executing from?
What does "I’d sit this one out, Cap," imply or mean in the context?
Do the temporary hit points from the Battlerager barbarian's Reckless Abandon stack if I make multiple attacks on my turn?
Is std::regex constructor safe?
What are the rules for calling the superclass constructor?How to concatenate a std::string and an int?What's the best way to trim std::string?Can I call a constructor from another constructor (do constructor chaining) in C++?How to convert std::string to lower case?How to convert a std::string to const char* or char*?std::wstring VS std::stringWhy is “using namespace std” considered bad practice?Calling dynamically allocated class' copy constructor inside a copy constructor?Can you prevent std::regex from throwing exception on invalid expressions?
Just to make sure:
The constructors of std::basic_regex have to detect invalid expressions and throw an exception if it isn't correct. Right? So assuming I trust my STL implementer, I can pass arbitratry strings to it and I'll either get a valid regex object or an exception - no UB or something of that kind?
Does anyone know of buggy std::basic_regex implementations (EDIT: or other parts of the regex library) that are not robust against erroneous inputs?
c++
asked Mar 7 at 12:47
MikeMBMikeMB
12.1k34083
|
show 1 more comment
Just to make sure:
The constructors of std::basic_regex have to detect invalid expressions and throw an exception if it isn't correct. Right? So assuming I trust my STL implementer, I can pass arbitratry strings to it and I'll either get a valid regex object or an exception - no UB or something of that kind?
Does anyone know of buggy std::basic_regex implementations (EDIT: or other parts of the regex library) that are not robust against erroneous inputs?
c++
asked Mar 7 at 12:47
MikeMBMikeMB
12.1k34083
That is what the documentation onregexstates. However, no implementation is entirely bug free. Is there any particular implementation you are concerned about?
– P.W
Mar 7 at 13:00
@P.W: Well, the usual ones like msvc, libstdc++ and libc++. Essentailly I'm wondering if it is fine to directly pass user data to it without any form of sanitization (not worried about security - just robustness)
– MikeMB
Mar 7 at 13:04
1
libstdc++ does have issues: See one example: gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
– P.W
Mar 7 at 13:06
And so does libc++: bugs.llvm.org/show_bug.cgi?id=23017
– P.W
Mar 7 at 13:08
Note that the last parameter in all five constructors that may be of interest in this case determines the regex grammar to use and defaults to ECMAScript.
– Lafsi Ironknuckles
Mar 7 at 13:08
|
show 1 more comment
Just to make sure:
The constructors of std::basic_regex have to detect invalid expressions and throw an exception if it isn't correct. Right? So assuming I trust my STL implementer, I can pass arbitratry strings to it and I'll either get a valid regex object or an exception - no UB or something of that kind?
Does anyone know of buggy std::basic_regex implementations (EDIT: or other parts of the regex library) that are not robust against erroneous inputs?
c++
asked Mar 7 at 12:47
MikeMBMikeMB
12.1k34083
Just to make sure:
The constructors of std::basic_regex have to detect invalid expressions and throw an exception if it isn't correct. Right? So assuming I trust my STL implementer, I can pass arbitratry strings to it and I'll either get a valid regex object or an exception - no UB or something of that kind?
Does anyone know of buggy std::basic_regex implementations (EDIT: or other parts of the regex library) that are not robust against erroneous inputs?
c++
c++
asked Mar 7 at 12:47
MikeMBMikeMB
12.1k34083
asked Mar 7 at 12:47
MikeMBMikeMB
12.1k34083
edited Mar 7 at 13:08
MikeMB
asked Mar 7 at 12:47
MikeMBMikeMB
12.1k34083
asked Mar 7 at 12:47
MikeMBMikeMB
12.1k34083
asked Mar 7 at 12:47
MikeMBMikeMB
12.1k34083
12.1k34083
That is what the documentation onregexstates. However, no implementation is entirely bug free. Is there any particular implementation you are concerned about?
– P.W
Mar 7 at 13:00
@P.W: Well, the usual ones like msvc, libstdc++ and libc++. Essentailly I'm wondering if it is fine to directly pass user data to it without any form of sanitization (not worried about security - just robustness)
– MikeMB
Mar 7 at 13:04
1
libstdc++ does have issues: See one example: gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
– P.W
Mar 7 at 13:06
And so does libc++: bugs.llvm.org/show_bug.cgi?id=23017
– P.W
Mar 7 at 13:08
Note that the last parameter in all five constructors that may be of interest in this case determines the regex grammar to use and defaults to ECMAScript.
– Lafsi Ironknuckles
Mar 7 at 13:08
|
show 1 more comment
That is what the documentation onregexstates. However, no implementation is entirely bug free. Is there any particular implementation you are concerned about?
– P.W
Mar 7 at 13:00
@P.W: Well, the usual ones like msvc, libstdc++ and libc++. Essentailly I'm wondering if it is fine to directly pass user data to it without any form of sanitization (not worried about security - just robustness)
– MikeMB
Mar 7 at 13:04
1
libstdc++ does have issues: See one example: gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
– P.W
Mar 7 at 13:06
And so does libc++: bugs.llvm.org/show_bug.cgi?id=23017
– P.W
Mar 7 at 13:08
Note that the last parameter in all five constructors that may be of interest in this case determines the regex grammar to use and defaults to ECMAScript.
– Lafsi Ironknuckles
Mar 7 at 13:08
That is what the documentation on
regex states. However, no implementation is entirely bug free. Is there any particular implementation you are concerned about?– P.W
Mar 7 at 13:00
That is what the documentation on
regex states. However, no implementation is entirely bug free. Is there any particular implementation you are concerned about?– P.W
Mar 7 at 13:00
@P.W: Well, the usual ones like msvc, libstdc++ and libc++. Essentailly I'm wondering if it is fine to directly pass user data to it without any form of sanitization (not worried about security - just robustness)
– MikeMB
Mar 7 at 13:04
@P.W: Well, the usual ones like msvc, libstdc++ and libc++. Essentailly I'm wondering if it is fine to directly pass user data to it without any form of sanitization (not worried about security - just robustness)
– MikeMB
Mar 7 at 13:04
1
1
libstdc++ does have issues: See one example: gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
– P.W
Mar 7 at 13:06
libstdc++ does have issues: See one example: gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
– P.W
Mar 7 at 13:06
And so does libc++: bugs.llvm.org/show_bug.cgi?id=23017
– P.W
Mar 7 at 13:08
And so does libc++: bugs.llvm.org/show_bug.cgi?id=23017
– P.W
Mar 7 at 13:08
Note that the last parameter in all five constructors that may be of interest in this case determines the regex grammar to use and defaults to ECMAScript.
– Lafsi Ironknuckles
Mar 7 at 13:08
Note that the last parameter in all five constructors that may be of interest in this case determines the regex grammar to use and defaults to ECMAScript.
– Lafsi Ironknuckles
Mar 7 at 13:08
|
show 1 more comment
1 Answer
1
active
oldest
votes
Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.
answered Mar 7 at 13:21
user11165664user11165664
311
Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
– MikeMB
Mar 7 at 14:41
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55044169%2fis-stdregex-constructor-safe%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.
answered Mar 7 at 13:21
user11165664user11165664
311
Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
– MikeMB
Mar 7 at 14:41
add a comment |
Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.
answered Mar 7 at 13:21
user11165664user11165664
311
Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
– MikeMB
Mar 7 at 14:41
add a comment |
Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.
answered Mar 7 at 13:21
user11165664user11165664
311
Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.
answered Mar 7 at 13:21
user11165664user11165664
311
answered Mar 7 at 13:21
user11165664user11165664
311
answered Mar 7 at 13:21
user11165664user11165664
311
answered Mar 7 at 13:21
user11165664user11165664
311
311
Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
– MikeMB
Mar 7 at 14:41
add a comment |
Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
– MikeMB
Mar 7 at 14:41
Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
– MikeMB
Mar 7 at 14:41
Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
– MikeMB
Mar 7 at 14:41
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55044169%2fis-stdregex-constructor-safe%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
That is what the documentation on
regexstates. However, no implementation is entirely bug free. Is there any particular implementation you are concerned about?– P.W
Mar 7 at 13:00
@P.W: Well, the usual ones like msvc, libstdc++ and libc++. Essentailly I'm wondering if it is fine to directly pass user data to it without any form of sanitization (not worried about security - just robustness)
– MikeMB
Mar 7 at 13:04
1
libstdc++ does have issues: See one example: gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
– P.W
Mar 7 at 13:06
And so does libc++: bugs.llvm.org/show_bug.cgi?id=23017
– P.W
Mar 7 at 13:08
Note that the last parameter in all five constructors that may be of interest in this case determines the regex grammar to use and defaults to ECMAScript.
– Lafsi Ironknuckles
Mar 7 at 13:08