I want to limit the execution time of the evaluation of a regex in javacript to 1 second (as a part of a series of steps aiming to mitigate attacks on regex). Is there a way to do this in javascript (for example, make the evaluator return false upon timeout)?
Asked
Active
Viewed 93 times
0
-
In browser? Or server-side? – Ivan Rubinson Jun 30 '19 at 09:30
-
Flagged as duplicate assuming it's server side, if it's client side then it's not really an attack vector for a ReDoS attack in the first place. – seahorsepip Jun 30 '19 at 09:33
-
It's for both client and server side. Why wouldn't it be a problem on client side? – omer Jun 30 '19 at 09:34
-
1@omer client side browsers can only be frozen at worst. If it's based on users own input it's a non issue since he's freezing his own browser only. If for some uncommon design reason a user can "share" his regex which in turn can be used by other users then yes those others users will fall victim. I would recommend running the regex server side in that scenario. – seahorsepip Jun 30 '19 at 09:39