Default `QueryFilter` has a very slow RegEx on certain inputs

[aukevanleeuwen]

I was sending some requests with curl to an application that had logbook enabled and noticed quite terrible performance.

curl by default will send data with a Content-Type: application/x-www-form-urlencoded, by default this triggers a QueryFilter that will try to parse the content and look for client_secret and password in the body and obfuscate that.

In the end this will end up parsing the body with this Pattern: https://github.com/zalando/logbook/blob/8fa25bb682d7c3d9ef5054d7f7efe4c2ea760ece/logbook-core/src/main/java/org/zalando/logbook/core/QueryFilters.java#L60-L60

I debugged the regex (with PCRE, not Java but seems to have roughly the same performance) and the amount of steps is exponential with the body size. This matches my experience as well. Sending a 100K body took about 4s if I recall correctly, sending 1MB would take minutes.

Btw: it largely depends on the body. If your body actually has a lot of parameters, so lots of stuff separated by &, it's much less of a problem. If it has just a large text of some sort, it will blow up.

Description

Why I consider this a bug: I think there is no reason for a regex that will has O(n^2) complexity.

Expected Behavior

To be faster! :-D

Actual Behavior

It's slow.

Steps to Reproduce

1. Have an application that you can send big request bodies to
2. Send a request with a large body
3. wait