RegEx evaluation should have a time out specified

As Microsoft stated itself:

When using System.Text.RegularExpressions to process untrusted input, pass a timeout. A malicious user can provide input to RegularExpressions causing a Denial-of-Service attack. ASP.NET Core framework APIs that use RegularExpressions pass a timeout.

The rule should raise a warning on all RegEx methods that lack a timeout parameter when an overload with a timeout is available. So:

var compliant = new Regex(@"\b\w+\b", RegexOptions.None, TimeSpan.FromMilliseconds(5)); // Compliant
var noncompliant = new Regex(@"\b\w+\b", RegexOptions.None); // Noncompliant

Hello Corniel,

thanks for the suggestion! We plan to add a similar regular expressions analysis for .Net as we did for Java last year (e.g. as described in this blog post). Once we are able to properly detect regular expressions that cause problems this might come in as a nice addition.

So I had been told. :wink:

Who told you that if you don’t mind me asking? :thinking:

A colleague of yours (from the C#/VB.NET language team). :slight_smile:
He also asked me to share mine idea here. :wink:

1 Like