Validating regexp

[alister]

On Thu, 10 Aug 2017 09:38:49 -0400, Larry Martell wrote:

> On Wed, Aug 9, 2017 at 8:33 PM, Cameron Simpson <cs at cskk.id.au> wrote:
>> On 09Aug2017 10:46, Jon Ribbens <jon+usenet at unequivocal.eu> wrote:
>>>
>>> On 2017-08-09, Cameron Simpson <cs at cskk.id.au> wrote:
>>>>
>>>> On 08Aug2017 17:31, Jon Ribbens <jon+usenet at unequivocal.eu> wrote:
>>>>>
>>>>> ... but bear in mind, there have been ways of doing
>>>>> denial-of-service attacks with valid-but-nasty regexps in the past,
>>>>> and I wouldn't want to rely on there not being any now.
>>>>
>>>>
>>>> The ones I've seen still require some input length (I'm thinking
>>>> exponential rematch backoff stuff here). I suspect that if your test
>>>> query matches the RE against a fixed empty string it is hard to be
>>>> exploited. i.e. I think most of this stuff isn't expensive in terms
>>>> of compiling the regexp but in executing it against text.
>>>
>>>
>>> Well yes, but presumably if the OP is receiving regexps from users
>>> they will be executed against text sooner or later.
>>
>>
>> True, but the OP (Larry) was after validation.
>>
>> The risk then depends on the degree of trust in the user. If the user
>> is a random person-from-the-internets, sure there's a risk there.
>> However, if the regexp is part of some internal configuration being set
>> up by trusted people (eg staff pursuing a goal) then validation will
>> normally be enough.
>>
>> Of course, that is a call for Larry to make, not us, but it need to be
>> bourne in mind by him.
> 
> The input comes from in house people, not from the internet.

The question would still be should the input be trusted & I would still 
say no, accidental errors can cause as much damage as malicious input if 
not correctly sanitised.

my experience with regex's is insufficient to help with any of the rest 
of this query




-- 
For some reason, this fortune reminds everyone of Marvin Zelkowitz.