NiXTheDev/Ogex
1
0
Fork 0
Code Issues 36 Pull requests 1 Projects Releases 1 Packages Wiki Activity Actions

Include Tests for Pathological Patterns to Ensure Backtracking Limits #16

New issue
Closed
opened 2026-03-11 18:11:00 +03:00 by NiXTheDev · 0 comments
NiXTheDev commented 2026-03-11 18:11:00 +03:00 (Migrated from github.com)
Copy link

Goal: Protect against Regular Expression Denial of Service (ReDoS) by testing with exponential-time patterns.

Certain regex patterns (e.g., (a*)*, (a|a)*) can cause catastrophic backtracking. Without limits, the engine could hang or consume excessive CPU.

Proposed Solution:

  • Implement a backtracking limit (e.g., maximum number of steps) configurable at compile or runtime.
  • Add tests that run these pathological patterns with a short input and ensure they terminate within a reasonable time (or return a timeout error).

Implementation Steps:

  1. Add a backtrack_limit field to Regex or NfaSimulator, defaulting to a high value (e.g., 10_000_000).
  2. In the matching loop, increment a counter and abort if exceeded, returning a RuntimeError.
  3. Add tests with patterns known to cause exponential blowup and verify that they either complete quickly or return an error.

Example:

#[test]
fn test_pathological_pattern_terminates() {
    let re = Regex::new(r"(a*)*").unwrap();
    let input = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
    // Should not hang; either returns match or error.
    let _ = re.is_match(input);
}
**Goal**: Protect against Regular Expression Denial of Service (ReDoS) by testing with exponential-time patterns. Certain regex patterns (e.g., `(a*)*`, `(a|a)*`) can cause catastrophic backtracking. Without limits, the engine could hang or consume excessive CPU. **Proposed Solution**: - Implement a backtracking limit (e.g., maximum number of steps) configurable at compile or runtime. - Add tests that run these pathological patterns with a short input and ensure they terminate within a reasonable time (or return a timeout error). **Implementation Steps**: 1. Add a `backtrack_limit` field to `Regex` or `NfaSimulator`, defaulting to a high value (e.g., 10_000_000). 2. In the matching loop, increment a counter and abort if exceeded, returning a `RuntimeError`. 3. Add tests with patterns known to cause exponential blowup and verify that they either complete quickly or return an error. **Example**: ```rust #[test] fn test_pathological_pattern_terminates() { let re = Regex::new(r"(a*)*").unwrap(); let input = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; // Should not hang; either returns match or error. let _ = re.is_match(input); } ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
release
renovate/0.1.2-major-github-actions-major
0.1.2
v0.1.1
Labels
Clear labels   
Epic

   
GHA

   
Release

   
bug
Something isn't working

  
dependencies

   
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
major

   
question
Further information is requested

  
rust

   
wontfix
This will not be worked on

No labels
Epic
GHA
Release
bug
dependencies
documentation
duplicate
enhancement
good first issue
help wanted
invalid
major
question
rust
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
NiXTheDev/Ogex#16
No description provided.