sbassett added a comment.
@RazShuty @Addshore @Lucas_Werkmeister_WMDE - Sorry for the (very) delayed response here. Due to a healthy amount of organizational shift, the #security-team <https://phabricator.wikimedia.org/tag/security-team/> is just now getting our Phab works boards in order to review these kinds of items more consistently. For now, it's still probably best to find one of us on IRC (most of us run bouncers or use IRCCloud) or email us if there are any lingering tasks like this. Regarding this task, specifically: > However, the majority of user-provided regexes we’re interested in (76%) do not contain any parentheses, which means they cannot contain any groups and their star height must be 0 or 1. Unless I’m mistaken, this should mean we can safely evaluate them via preg_match, and the evaluation time should not explode. I feel like this is a generally safe assumption to make in eliminating large swaths of likely benign regexp patterns, assuming someone doesn't create an enormously lengthy regular expression pattern which might suffer from other performance-related issues. In addition to parentheses, I'd guess that any occurrences of unbound repetition operators (`+`, `*`, `{n,}`) might further help to classify potentially dangerous regexp patterns. Of course static analysis to determine the safety of regexp patterns is fairly difficult if not impossible in certain situations, so additional solutions involving sandboxing, limiting memory usage, etc. as discussed on the parent task would certainly be encouraged as best practices by the #security-team <https://phabricator.wikimedia.org/tag/security-team/>. TASK DETAIL https://phabricator.wikimedia.org/T214378 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett Cc: sbassett, Addshore, RazShuty, JBennett, Ladsgroup, Aklapper, Lucas_Werkmeister_WMDE, darthmon_wmde, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, _jensen, rosalieper, Agabi10, Jonas, Wong128hk, Luke081515, Wikidata-bugs, aude, Bawolff, Lydia_Pintscher, csteipp, Mbch331, Rxy, Jay8g, Krenair
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
