Prevent dangerous regex halting the application

Question

Regexes are dangerous, very dangerous. Regex operations are processed by the main thread, the one that is listening to the event loop. Is it possible to make sure that a dangerous regex won't halt my application? Should I be passing the regex operations to a thread pool of my own? Is there a norm for this? Of course testing, monitoring etc. will be done, but is there a generic approach of preventing this kind of disasters?

See https://www.josephkirwin.com/2016/03/12/nodejs_redos_mitigation/ — Wiktor Stribiżew, Oct 15 '16 at 08:35
I am on a mobile and cannot format the code well. I am on the go right now, too. In some 20 mins — Wiktor Stribiżew, Oct 15 '16 at 08:43
Please take all the time you need. Thank you for this one. Allow me to be a little greedy and ask you about the performance hit of using this workaround (if you've already tried it). Of course I'll run my own tests, but it would be great if an answer included all aspects. — Alkis Kalogeris, Oct 15 '16 at 08:50

score 3 · Accepted Answer · answered Oct 15 '16 at 09:06

You may use a trick using Node.js’s core vm module. (available in v0.12.x, v4.x and v5.x branches) described in the Mitigating Catastrophic Backtracking in Node.js Regular Expressions. The idea is to set a timeout to a regex match operation and terminate matching once it reached a specified period of time.

Here is a snippet from the article you may leverage:

const util = require('util'); 
const vm = require('vm'); 
var sandbox = { 
    result: null 
}; 
var context = vm.createContext(sandbox);     
console.log('Sandbox initialized: ' + vm.isContext(sandbox)); 
var script = new vm.Script('result = /^(A+)*B/.test(\'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC\');'); 
try{
     // One could argue if a RegExp hasn't processed in a given time. 
    // then, its likely it will take exponential time. 
    script.runInContext(context, { timeout: '1000' }); // milliseconds 
} 
catch(e){ 
    console.log('ReDos occurred'); // Take some remedial action here... 
} 
console.log(util.inspect(sandbox)); // Check the results

Sorry, I can't provide any testing details, but the idea is that once the timeout set by you is reached the result is considered failed. It is [similar to approach in .NET](http://stackoverflow.com/questions/7616435/how-do-i-timeout-regex-operations-to-prevent-hanging-in-net-4-5) — Wiktor Stribiżew, Oct 15 '16 at 09:11
That's fine. The answer is great as is. I found this for a first taste http://www.davidmclifton.com/2011/08/18/node-js-virtual-machine-vm-usage/ — Alkis Kalogeris, Oct 15 '16 at 09:17

Prevent dangerous regex halting the application

1 Answers1