On Mon, Feb 14, 2022 at 9:55 AM J.B. Langston <jblangs...@datastax.com> wrote:
> ... more generally I think it would be good to have a timeout option that > could be configurable when compiling the regex so that if the regex didn't > complete within the specified timeframe, it would abort and throw an > exception. > > ... The suggestion made to me on the bug was to read Mastering Regular > Expressions and get better at writing regexes. I will take this advice, but > this isn't really a reasonable solution to my problem for a few reasons. > My use case is log parsing and I have a large number of regexes that run > over many different log lines. With the volume of regexes I have, it's hard > to make sure every regex has no potential problems, especially when the > pathological behavior only occurs on certain inputs that may not have been > anticipated when developing the regex. > A regex that's vulnerable to pathological behavior is a DoS attack waiting to happen. Especially when used for parsing log data (which might contain untrusted data). If possible, we should make it harder for people to shoot themselves in the feet. As an aside, pure regex's are not vulnerable, only extended regex. However, Python doesn't (that I know of) have a class that only accepts pure regex. --- Bruce
_______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/SYGCVTCLN2WMHPZ4DV36FJ2JYCZHURR3/ Code of Conduct: http://python.org/psf/codeofconduct/
