Safety of executing arbitrary regular expressions

Question

I really can't think of any, but could there be malicious effects of allowing users to run arbitrary regular expressions?

For example, say I have a website where people can try out regular expressions on a block of text -- is there anything I'd have to "sanitize" in the same way as for SQL statements?

score 2 · Accepted Answer · answered Sep 05 '12 at 00:12

2

Some regular expressions can be computationally very complex and/or require a lot of memory and running many of them could degrade performance or lead to a denial of service.

answered Sep 05 '12 at 00:12

akton

14,148
3
43
47

score 1 · Answer 2 · answered Sep 04 '12 at 23:57

1

Perl regular expressions can execute arbitrary code snippets. Even without that feature, a malicious regex could use up all the CPU/RAM on your server.

answered Sep 04 '12 at 23:57

Sean McSomething

6,376
2
23
28

score 0 · Answer 3 · answered Sep 05 '12 at 13:34

0

https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

answered Sep 05 '12 at 13:34

Pierre Ernst

514
3
7

1

Excellent link, but a link-only answer is not really great (bitrot is just one of the problems). Could you summarize the information quickly in your answer? – Joachim Sauer Sep 05 '12 at 13:37

Safety of executing arbitrary regular expressions

3 Answers3