RegEx evaluation should have a time out specified

Corniel · March 31, 2021, 7:19pm

As Microsoft stated itself:

Warning
When using System.Text.RegularExpressions to process untrusted input, pass a timeout. A malicious user can provide input to RegularExpressions causing a Denial-of-Service attack. ASP.NET Core framework APIs that use RegularExpressions pass a timeout.

The rule should raise a warning on all RegEx methods that lack a timeout parameter when an overload with a timeout is available. So:

var compliant = new Regex(@"\b\w+\b", RegexOptions.None, TimeSpan.FromMilliseconds(5)); // Compliant
var noncompliant = new Regex(@"\b\w+\b", RegexOptions.None); // Noncompliant

Hendrik_Buchwald · April 14, 2021, 8:48am

Hello Corniel,

thanks for the suggestion! We plan to add a similar regular expressions analysis for .Net as we did for Java last year (e.g. as described in this blog post). Once we are able to properly detect regular expressions that cause problems this might come in as a nice addition.

Corniel · April 15, 2021, 12:08pm

So I had been told.

Hendrik_Buchwald · April 15, 2021, 12:36pm

Who told you that if you don’t mind me asking?

Corniel · April 15, 2021, 12:37pm

A colleague of yours (from the C#/VB.NET language team).
He also asked me to share mine idea here.

Corniel · June 2, 2022, 9:40am

I created a pull request for this one: RegEx evaluation should have a time out specified by Corniel · Pull Request #5693 · SonarSource/sonar-dotnet · GitHub

Corniel · June 20, 2022, 9:59am

I created a pull request for the RSPEC too: Add rule SXXX: RegEx evaluation should have a time out specified by Corniel · Pull Request #1061 · SonarSource/rspec · GitHub