Skip to content

G
gitlab-ce
Commit a2a9dedf authored by Michael Henriksen's avatar Michael Henriksen Committed by Russell Dickenson
Browse files
Options

Suggest using ranges as protection against ReDos 

Adds a suggestion to specify ranges in regular
expressions instead of unbounded `*` and `+`
matchers as part of protecting the matching
engine against regular expression DoS also known
as Catastrophic Backtracking.
parent 2f33a8cb
Hide whitespace changes
Inline Side-by-side
Showing with 2 additions and 0 deletions
doc/development/secure_coding_guidelines.md
View file @ a2a9dedf
...@@ -184,6 +184,8 @@ and [possessive quantifiers](https://www.regular-expressions.info/possessive.htm ...@@ -184,6 +184,8 @@ and [possessive quantifiers](https://www.regular-expressions.info/possessive.htm
- Avoid nested quantifiers if possible (for example `(a+)+`) - Avoid nested quantifiers if possible (for example `(a+)+`)
- Try to be as precise as possible in your regex and avoid the `.` if there's an alternative - Try to be as precise as possible in your regex and avoid the `.` if there's an alternative
- For example, Use `_[^_]+_` instead of `_.*_` to match `_text here_` - For example, Use `_[^_]+_` instead of `_.*_` to match `_text here_`
- Use reasonable ranges (for example, `{1,10}`) for repeating patterns instead of unbounded `*` and `+` matchers
- When possible, perform simple input validation such as maximum string length checks before using regular expressions
- If in doubt, don't hesitate to ping `@gitlab-com/gl-security/appsec` - If in doubt, don't hesitate to ping `@gitlab-com/gl-security/appsec`
#### Go #### Go
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7