Ufdjrw

Return the Closest Prime Number

How to check is there any negative term in a large list?

What happens if you roll doubles 3 times then land on "Go to jail?"

How do I find the solutions of the following equation?

Would a high gravity rocky planet be guaranteed to have an atmosphere?

What is the difference between "behavior" and "behaviour"?

Why didn't Theresa May consult with Parliament before negotiating a deal with the EU?

What is paid subscription needed for in Mortal Kombat 11?

Is expanding the research of a group into machine learning as a PhD student risky?

How long to clear the 'suck zone' of a turbofan after start is initiated?

How do I extract a value from a time formatted value in excel?

Opposite of a diet

Why Were Madagascar and New Zealand Discovered So Late?

Is there a good way to store credentials outside of a password manager?

Escape a backup date in a file name

How does buying out courses with grant money work?

Energy of the particles in the particle accelerator

How to pronounce the slash sign

Class Action - which options I have?

What is the intuitive meaning of having a linear relationship between the logs of two variables?

Integer addition + constant, is it a group?

Where does the Z80 processor start executing from?

What does "I’d sit this one out, Cap," imply or mean in the context?

Do the temporary hit points from the Battlerager barbarian's Reckless Abandon stack if I make multiple attacks on my turn?

Is std::regex constructor safe?

What are the rules for calling the superclass constructor?How to concatenate a std::string and an int?What's the best way to trim std::string?Can I call a constructor from another constructor (do constructor chaining) in C++?How to convert std::string to lower case?How to convert a std::string to const char* or char*?std::wstring VS std::stringWhy is “using namespace std” considered bad practice?Calling dynamically allocated class' copy constructor inside a copy constructor?Can you prevent std::regex from throwing exception on invalid expressions?

3

Just to make sure:

The constructors of std::basic_regex have to detect invalid expressions and throw an exception if it isn't correct. Right? So assuming I trust my STL implementer, I can pass arbitratry strings to it and I'll either get a valid regex object or an exception - no UB or something of that kind?

Does anyone know of buggy std::basic_regex implementations (EDIT: or other parts of the regex library) that are not robust against erroneous inputs?

c++

share|improve this question

edited Mar 7 at 13:08

MikeMB

asked Mar 7 at 12:47

MikeMBMikeMB

12.1k34083

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  That is what the documentation on regex states. However, no implementation is entirely bug free. Is there any particular implementation you are concerned about?
  
  – P.W
  Mar 7 at 13:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @P.W: Well, the usual ones like msvc, libstdc++ and libc++. Essentailly I'm wondering if it is fine to directly pass user data to it without any form of sanitization (not worried about security - just robustness)
  
  – MikeMB
  Mar 7 at 13:04
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  libstdc++ does have issues: See one example: gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
  
  – P.W
  Mar 7 at 13:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  And so does libc++: bugs.llvm.org/show_bug.cgi?id=23017
  
  – P.W
  Mar 7 at 13:08
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Note that the last parameter in all five constructors that may be of interest in this case determines the regex grammar to use and defaults to ECMAScript.
  
  – Lafsi Ironknuckles
  Mar 7 at 13:08
  

  
  
  
  

 | 
show 1 more comment

3

Just to make sure:

The constructors of std::basic_regex have to detect invalid expressions and throw an exception if it isn't correct. Right? So assuming I trust my STL implementer, I can pass arbitratry strings to it and I'll either get a valid regex object or an exception - no UB or something of that kind?

Does anyone know of buggy std::basic_regex implementations (EDIT: or other parts of the regex library) that are not robust against erroneous inputs?

c++

share|improve this question

edited Mar 7 at 13:08

MikeMB

asked Mar 7 at 12:47

MikeMBMikeMB

12.1k34083

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  That is what the documentation on regex states. However, no implementation is entirely bug free. Is there any particular implementation you are concerned about?
  
  – P.W
  Mar 7 at 13:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @P.W: Well, the usual ones like msvc, libstdc++ and libc++. Essentailly I'm wondering if it is fine to directly pass user data to it without any form of sanitization (not worried about security - just robustness)
  
  – MikeMB
  Mar 7 at 13:04
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  libstdc++ does have issues: See one example: gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
  
  – P.W
  Mar 7 at 13:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  And so does libc++: bugs.llvm.org/show_bug.cgi?id=23017
  
  – P.W
  Mar 7 at 13:08
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Note that the last parameter in all five constructors that may be of interest in this case determines the regex grammar to use and defaults to ECMAScript.
  
  – Lafsi Ironknuckles
  Mar 7 at 13:08
  

  
  
  
  

 | 
show 1 more comment

Just to make sure:

The constructors of std::basic_regex have to detect invalid expressions and throw an exception if it isn't correct. Right? So assuming I trust my STL implementer, I can pass arbitratry strings to it and I'll either get a valid regex object or an exception - no UB or something of that kind?

Does anyone know of buggy std::basic_regex implementations (EDIT: or other parts of the regex library) that are not robust against erroneous inputs?

c++

share|improve this question

edited Mar 7 at 13:08

MikeMB

asked Mar 7 at 12:47

MikeMBMikeMB

12.1k34083

share|improve this question

edited Mar 7 at 13:08

MikeMB

asked Mar 7 at 12:47

MikeMBMikeMB

12.1k34083

share|improve this question

edited Mar 7 at 13:08

MikeMB

asked Mar 7 at 12:47

MikeMBMikeMB

12.1k34083

asked Mar 7 at 12:47

MikeMBMikeMB

12.1k34083

asked Mar 7 at 12:47

MikeMBMikeMB

12.1k34083

1 Answer
1

active

oldest

votes

3

Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.

share|improve this answer

answered Mar 7 at 13:21

user11165664user11165664

311

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
  
  – MikeMB
  Mar 7 at 14:41
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55044169%2fis-stdregex-constructor-safe%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

3

Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.

share|improve this answer

answered Mar 7 at 13:21

user11165664user11165664

311

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
  
  – MikeMB
  Mar 7 at 14:41
  

  
  
  
  

add a comment | 

3

Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.

share|improve this answer

answered Mar 7 at 13:21

user11165664user11165664

311

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Imposing some basic limits would certainly make sense. Although, as I mentioned in a comment, I'm not really interested in security. If the user (usually myself) wants to deliberately crash/slowdown the app, that is his prerogative ;).
  
  – MikeMB
  Mar 7 at 14:41
  

  
  
  
  

add a comment | 

Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.

share|improve this answer

answered Mar 7 at 13:21

user11165664user11165664

311

share|improve this answer

answered Mar 7 at 13:21

user11165664user11165664

311

answered Mar 7 at 13:21

user11165664user11165664

311

answered Mar 7 at 13:21

user11165664user11165664

311