Maniphest T187669

Static PCRE ReDoS validator
Open, MediumPublic
Actions

Assigned To

None

Authored By

	Tgr
	Feb 19 2018, 1:43 AM

Tags

Referenced Files

None

Subscribers

Tokens

"Love" token, awarded by Daimona.

Description

MediaWiki should have some way to reject regular expressions which are vulnerable to ReDoS attacks (or are ReDoS attacks). Some use cases:

Some tools that claim to be able to detect vulnerable regular expressions:

NicolaasWeideman/RegexStaticAnalysis (Java)
RXXR / RXXR2 (OCaml)
substack/safe-regex (Node.js)

It seems not too hard to compile one of these into a binary and make MediaWiki shell out to it to check regular expressions before executing them.

Related Objects

Mentioned In: T256661: Implement ReDoS detection
T240884: RFC: How to evaluate user-provided regular expressions
Mentioned Here: T105126: [Task] Evaluate pattern constraints (safely)
T176312: Don’t check format constraint via SPARQL (safely evaluating user-provided regular expressions)

Event Timeline

Tgr created this task.Feb 19 2018, 1:43 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 19 2018, 1:43 AM

Chicocvenancio subscribed.Feb 19 2018, 2:28 AM

Daimona awarded a token.Feb 19 2018, 8:51 AM

Daimona subscribed.

Aklapper added a project: MediaWiki-General.Feb 19 2018, 10:53 AM

Krinkle updated the task description. (Show Details)Mar 5 2018, 11:13 PM

• Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM

• chasemp triaged this task as Medium priority.Dec 9 2019, 5:09 PM

Aklapper removed a project: Security-General.Dec 13 2019, 10:46 AM

Daimona mentioned this in T240884: RFC: How to evaluate user-provided regular expressions.Jan 17 2020, 4:42 PM

sbassett subscribed.Jan 17 2020, 6:24 PM

• chasemp added a project: Security.Feb 10 2020, 10:58 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM

Daimona mentioned this in T256661: Implement ReDoS detection.Jul 1 2020, 8:50 AM