Page MenuHomePhabricator

Static PCRE ReDoS validator
Open, MediumPublic

Description

MediaWiki should have some way to reject regular expressions which are vulnerable to ReDoS attacks (or are ReDoS attacks). Some use cases:

Some tools that claim to be able to detect vulnerable regular expressions:

It seems not too hard to compile one of these into a binary and make MediaWiki shell out to it to check regular expressions before executing them.