`crowdsecurity/thinkphp-cve-2018-20062` is very slow as it doesn't use RegexpInFile (and I'm not even sure it deserves to be a regexp)

Open buixor opened this issue 2 years ago • 0 comments

While benching unrelated issues for https://github.com/crowdsecurity/crowdsec/issues/2669 we discovered that the thinkphp scenario, because it's old, does:

evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("thinkphp_cve_2018-20062.txt"), {Upper(evt.Meta.http_path) matches Upper(#)})

Because of how expr works, the regexps get compiled every time the expression is evaluated.

From a quick bench, it can lead to >25% overall speed increase when processing HTTP logs.

Jan 10 '24 12:01 buixor