Module: Parse::RegexSecurity

Defined in:: lib/parse/query/constraints.rb

Overview

Security module for validating regex patterns to prevent ReDoS attacks. MongoDB uses PCRE which is susceptible to catastrophic backtracking.

Constant Summary collapse

MAX_PATTERN_LENGTH = Maximum allowed length for regex patterns

DANGEROUS_PATTERNS = Patterns that can cause exponential backtracking in PCRE

[
  /\(\?\=|\(\?\!|\(\?\<[!=]/,                    # Lookahead/lookbehind assertions
  /\{(\d{3,}|\d+,\d{3,})\}/,                     # Large repetition counts {1000} or {1,1000}
  /(\.\*|\.\+)\s*(\.\*|\.\+)/,                   # Consecutive .* or .+ patterns
  /\([^)]*(\+|\*)[^)]*\)\s*(\+|\*)/,             # Nested quantifiers like (a+)+
  /\(\?[^)]*\([^)]*(\+|\*)[^)]*\)[^)]*(\+|\*)\)/, # More complex nested quantifiers
].freeze

Class Method Summary collapse

.safe?(pattern, max_length: MAX_PATTERN_LENGTH) ⇒ Boolean

Checks if a pattern is safe without raising an exception.
.validate!(pattern, max_length: MAX_PATTERN_LENGTH) ⇒ String

Validates a regex pattern for potential ReDoS vulnerabilities.

Class Method Details

.safe?(pattern, max_length: MAX_PATTERN_LENGTH) ⇒ `Boolean`

Checks if a pattern is safe without raising an exception.

Parameters:

pattern (String, Regexp) —

the pattern to check

Returns:

(Boolean) —

true if safe, false if potentially dangerous

# File 'lib/parse/query/constraints.rb', line 57

def safe?(pattern, max_length: MAX_PATTERN_LENGTH)
  validate!(pattern, max_length: max_length)
  true
rescue ArgumentError
  false
end

.validate!(pattern, max_length: MAX_PATTERN_LENGTH) ⇒ `String`

Validates a regex pattern for potential ReDoS vulnerabilities.