ruby-changes:71554
From: Yusuke <ko1@a...>
Date: Wed, 30 Mar 2022 16:50:59 +0900 (JST)
Subject: [ruby-changes:71554] 34b288f8d4 (master): doc/regexp.rdoc: Add explanation about Regexp timeout configuration
https://git.ruby-lang.org/ruby.git/commit/?id=34b288f8d4 From 34b288f8d471e3a3d34f2a63950b483594df282f Mon Sep 17 00:00:00 2001 From: Yusuke Endoh <mame@r...> Date: Thu, 24 Mar 2022 17:01:30 +0900 Subject: doc/regexp.rdoc: Add explanation about Regexp timeout configuration --- doc/regexp.rdoc | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/doc/regexp.rdoc b/doc/regexp.rdoc index 6aa11b0c5a..65d8cd46fa 100644 --- a/doc/regexp.rdoc +++ b/doc/regexp.rdoc @@ -27,6 +27,9 @@ Here 'haystack' contains the pattern 'hay', so it matches: https://github.com/ruby/ruby/blob/trunk/doc/regexp.rdoc#L27 Specifically, <tt>/st/</tt> requires that the string contains the letter _s_ followed by the letter _t_, so it matches _haystack_, also. +Note that any Regexp matching will raise a RuntimeError if timeout is set and +exceeded. See "Timeout" section in detail. + == <tt>=~</tt> and Regexp#match Pattern matching may be achieved by using <tt>=~</tt> operator or Regexp#match @@ -759,3 +762,23 @@ with <i>a{0,29}</i>: https://github.com/ruby/ruby/blob/trunk/doc/regexp.rdoc#L762 Regexp.new('a{0,29}' + 'a' * 29) =~ 'a' * 29 +== Timeout + +There are two APIs to set timeout. One is Timeout.timeout=, which is +process-global configuration of timeout for Regexp matching. + + Regexp.timeout = 3 + s = 'a' * 25 + 'd' + 'a' * 4 + 'c' + /(b|a+)*c/ =~ s #=> This raises an exception in three seconds + +The other is timeout keyword of Regexp.new. + + re = Regexp.new("(b|a+)*c", timeout: 3) + s = 'a' * 25 + 'd' + 'a' * 4 + 'c' + /(b|a+)*c/ =~ s #=> This raises an exception in three seconds + +When using Regexps to process untrusted input, you should use the timeout +feature to avoid excessive backtracking. Otherwise, a malicious user can +provide input to Regexp causing Denail-of-Service attack. +Note that the timeout is not set by default because an appropriate limit +highly depends on an application requirement and context. -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/