1

Is there a way to validate a user-provided regex pattern to avoid Regex Denial-of-Service (ReDoS) or arbitrary code execution attacks, assuming that also the subject (second argument of preg_match) is user-provided? I would like to use it like below:

<?php
function executeRegex($userProvidedRegex, $userProvidedInput) {
   return preg_match($userProvidedRegex, $userProvidedInput);
}
Bob
  • 139
  • 3
  • 10
  • Does this answer your question? [How can I recognize an evil regex?](https://stackoverflow.com/questions/12841970/how-can-i-recognize-an-evil-regex) – Booboo May 06 '23 at 18:46
  • What try/catch is there for `*.*?*))` ? Does this stop your php screept ? – sln May 06 '23 at 20:51
  • @Booboo I can't find an answer for my question... I need some code example. – Bob May 06 '23 at 21:02
  • @sln my problem is about detecting not only formally valid regex, but malicious regex expressions that can use all my resources. – Bob May 06 '23 at 21:03
  • The answer to the post I referenced says in part *Catastrophic backtracking in modern regex engines is similar in nature to the halting problem which Alan Turing proved was impossible to solve.* There is no perfect algorithm for solving your problem. – Booboo May 06 '23 at 21:08
  • RE2 doesn't support backtracking. It's more robust than PCRE – erik258 May 06 '23 at 22:11
  • @erik258 unfortunately I could not find it available for PHP except for an abandoned project. – Bob May 06 '23 at 22:54

0 Answers0