Page MenuHomePhabricator

Static PCRE ReDoS validator
Open, MediumPublic


MediaWiki should have some way to reject regular expressions which are vulnerable to ReDoS attacks (or are ReDoS attacks). Some use cases:

Some tools that claim to be able to detect vulnerable regular expressions:

It seems not too hard to compile one of these into a binary and make MediaWiki shell out to it to check regular expressions before executing them.