bmcweb icon indicating copy to clipboard operation
bmcweb copied to clipboard

Published 20 hours ago verified publisher icon openbmc

Use secure alternatives for regex

Open sunharis opened this issue 4 years ago • 2 comments

We have been using the regex for validating an input string.

This issue is opened to address Ed's concern over the usage of regex - Std::regex is slow, takes a lot of memory, and complicates things that should be simple. In most cases, there are much more performant alternatives that are more clear in code.

sunharis avatar Jan 15 '21 05:01 sunharis

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/35522

Performance is one concern, security and correctness are another. As part of this audit, it was found that most of the regexes we use were incorrect in some subtle way, or could be greatly simplified by either calling the libraries built-in string verification routines, or handling errors properly.

A good example of this is https://adtmag.com/Blogs/Dev-Watch/2016/07/stack-overflow-crash.aspx A pretty simple regex took down all of stack overflow for a significant amount of time.

bmcweb should be avoiding issues like these.

edtanous avatar Feb 02 '21 23:02 edtanous

Most uses of regex have been removed. For uses in non-deprecated options, there is one usage left in ethernet, which needs moved into the hostname-handling daemon.

https://github.com/openbmc/bmcweb/search?q=std%3A%3Aregex

edtanous avatar Mar 27 '23 17:03 edtanous