Regex timelimit in a model

Question

I have a register model with a regular expression, but in C# we have Regex.ValidateMatchTimeout to prevent DDoS attacks. The question is, how implement a regex with timelimit in a model?

A normal regex in my model:

[DataType(DataType.EmailAddress)]
[Required]
[Display(Name = "Email")]
[StringLength(80, ErrorMessage = "Email too large.")]
[RegularExpression(@"^([a-zA-Z0-9_.-]+)@(outlook|hotmail|yahoo)\.\w{2,}$", ErrorMessage = "Invalid email.")]
public string Email { get; set; }

Your example regex isn't prone to [catastrophic backtracking](http://www.regular-expressions.info/catastrophic.html), and is anchored, which means it's *fast*. Do you have any real use case for this? — Lucas Trzesniewski, May 03 '15 at 23:09
@LucasTrzesniewski uhm? You are saying my regex is well done, no? — Joe, May 03 '15 at 23:32
Yes, exactly, which means this particular pattern wouldn't ever timeout. :) — Lucas Trzesniewski, May 04 '15 at 07:24

score 1 · Accepted Answer · edited May 23 '17 at 11:50

1

The RegularExpression attribute does not allow you to specify a timeout in any way. You could, on the other hand, set the global default timeout. If nothing is configured, the timeout would be infinite.

AppDomain.CurrentDomain.SetData("REGEX_DEFAULT_MATCH_TIMEOUT", TimeSpan.FromSeconds(1));

More info:

How do I timeout Regex operations to prevent hanging in .NET 4.5?

An alternative would be to create your own attribute, based on the reference source.

edited May 23 '17 at 11:50

Community

1
1

answered May 03 '15 at 23:19

Markus Jarderot

86,735
21
136
138

In what file must I put AppDomain.Curre...? – Joe May 03 '15 at 23:35
1

In your `Startup.cs` file, or somewhere that is run before the first regex match. – Markus Jarderot May 03 '15 at 23:39
Then I can redefine the MATCH_TIMEOUT inside a method, no? Example: I put 5 seconds in startup, but I put after 20 seconds in my own method. This will affect to all program (all clients) or only to one client?? – Joe May 03 '15 at 23:45
You can test it by outputing `new Regex("").MatchTimeout` on some page. – Markus Jarderot May 03 '15 at 23:45
1

Yes. `REGEX_DEFAULT_MATCH_TIMEOUT` is global for your application. – Markus Jarderot May 03 '15 at 23:46

score 0 · Answer 2 · answered Nov 09 '21 at 15:23

Accepted answer is wrong (or perhaps outdated), because you can use MatchTimeoutInMilliseconds property, present in RegularExpressionAttribute

[RegularExpression(@"^([a-zA-Z0-9_.-]+)@(outlook|hotmail|yahoo)\.\w{2,}$", MatchTimeoutInMilliseconds = 1000, ErrorMessage = "Invalid email.")]

https://learn.microsoft.com/en-us/dotnet/api/system.componentmodel.dataannotations.regularexpressionattribute.matchtimeoutinmilliseconds

By the way, even you think your Regex is super-duper smart and awesome and fast, you could still fall pray to a maliciously crafted input that will take your regex for a spin. At scale, that can eventually take your system down.

Regex timelimit in a model

2 Answers2