Menu
Just to make sure:
The constructors of std::basic_regex have to detect invalid expressions and throw an exception if it isn't correct. Right? So assuming I trust my STL implementer, I can pass arbitratry strings to it and I'll either get a valid regex object or an exception - no UB or something of that kind?
Does anyone know of buggy std::basic_regex implementations (EDIT: or other parts of the regex library) that are not robust against erroneous inputs?
909
Assuming the standard libraries do not have bugs (they do, as pointed out by P.W) there is a more general attack called ReDoS as described by OWASP:
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.
So I would at the very least limit the size of the allowed input so that your program cannot be DOS'd. Secondly, a general approach to test the robustness of the engine is through fuzzing. There are a variety of fuzzing libraries out there and some projects on GitHub that contain "naughty" strings that are explicitly meant for pen testing. You may find it worthwhile to fuzz the various engines to see where they fail.
156
answered Oct 28 '25 21:10
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
