C# Security Tip: Regexes
This is a cross-post from my recent linkedin article.
Regexes are hard to get right, and sometimes they can even present as security vulnerabilities.
Take something ‘simple’ like email validation:
The code above is relatively simple, and quite common. A regex is defined and we validate input against it.
The trouble here is that the regex is vulnerable to a DOS attack (Denial of service) which means that with the right input (like in the example aaaaaaaaaaaaaaaa!) you can cause the server to time out.
The example giving took my machine 2 minutes to run through.
Here are 2 ways to improve (Leaving out the option of simply making a better regex through atomic groups or safer subexpressions).
Timeout
Adding a timeout to the Regex, will make the regex throw a RegexMatchTimeoutException if we time out.
RegexOptions.NonBacktracking
Adding the regex option NonBacktracking can also mitigate this security issue.
This is similar to using atomic groups, as backtracking is disabled for these, this option disables it completely though.
Closing remarks
Between, NonBacktracking and Timeout I personally lean towards the timeout, simply adding a timeout to every single regex, is a simple way of mitigating any Regex DOS vulnerability that might present itself. It is also VERY easy to code review, as it doesn’t require any logic aside from adding it to the instantiation of the Regex.
Regex DOS attacks aren’t always due to backtracking, although it is a very common cause of the issue.
Sources:
Regular expression Denial of Service — ReDoS | OWASP Foundation
