Learn how to prevent Regex Missing Timeout vulnerabilities with real code examples and best practices. Protect your application from denial of service attacks caused by regex patterns.
Tools recognizing this:
FortifyCheckmarxSonarQubeSnykSemgrepCodeQL
What is Regex Missing Timeout and How Does it Work?
Regex Missing Timeout is a security vulnerability that occurs when regular expressions are executed without a timeout limit. This can lead to denial of service attacks through catastrophic backtracking, where a malicious input causes the regex engine to spend excessive time processing.
The vulnerability can be exploited when:
Complex regex patterns are used without timeout controls
User input can influence the string being matched
The regex pattern is susceptible to catastrophic backtracking
No execution time limits are set for the regex operation
This guide covers Regex Missing Timeout vulnerabilities, examples, prevention methods, and how to implement proper timeout controls using real-world techniques.
One Simple Regex Missing Timeout Attack Example
Consider this vulnerable regex implementation:
Regex regex = new Regex("^(a+)+b$");
bool isMatch = regex.IsMatch(userInput);
An attacker could provide this input:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaX
This input would cause catastrophic backtracking, potentially freezing the application as the regex engine attempts to process all possible combinations.
Regex Missing Timeout Prevention Methods: How to Fix Your Code
The most efficient way to fix a Regex Missing Timeout issue is by implementing proper timeout controls when executing regular expressions.
Adding timeouts ensures that regex operations cannot run indefinitely, protecting against denial of service attacks. Different programming languages offer various mechanisms to implement these controls.
The vulnerable code creates a Regex without timeout controls.The fix adds a timeout parameter of 30 seconds using TimeSpan.FromMilliseconds.If the regex operation exceeds the timeout, it throws a RegexMatchTimeoutException.This prevents infinite processing of malicious inputs.
String pattern = "^(a+)+b$";
Pattern regex = Pattern.compile(pattern);
RegexTimeout timeout = new RegexTimeout(30, TimeUnit.SECONDS);
boolean isMatch = timeout.matches(regex, userInput);
class RegexTimeout {
private final long timeout;
private final TimeUnit unit;
public RegexTimeout(long timeout, TimeUnit unit) {
this.timeout = timeout;
this.unit = unit;
}
public boolean matches(Pattern pattern, String input) {
FutureTask<Boolean> task = new FutureTask<>(() ->
pattern.matcher(input).matches());
Thread thread = new Thread(task);
thread.start();
try {
return task.get(timeout, unit);
} catch (TimeoutException e) {
thread.interrupt();
throw new RuntimeException("Regex timeout exceeded");
}
}
}
Fix Explanation
The vulnerable code has no timeout mechanism for regex operations.The fix implements a custom timeout wrapper using FutureTask and Thread.The regex operation runs in a separate thread with a specified timeout.If the timeout is exceeded, the thread is interrupted and an exception is thrown.
The vulnerable code has no timeout mechanism.The fix implements a context manager using signal.SIGALRM.Sets a 30-second timeout for the regex operation.If the timeout is exceeded, raises a TimeoutError.Note: This solution works only on Unix-like systems.
The vulnerable code has no timeout controls.The fix uses a Web Worker to run regex in a separate thread.Implements a timeout using Promise and setTimeout.If the timeout is exceeded, the worker is terminated.This prevents the main thread from being blocked by long-running regex operations.
The vulnerable code has no timeout mechanism.The fix implements a wrapper function with timeout control.Uses set_time_limit() to enforce a maximum execution time.Monitors actual execution time using microtime().Restores original time limit after execution.
Need more help in preventing Regex Missing Timeout?
We'd love your feedback!
We're excited to hear your thoughts and ideas about fixing vulnerabilities.
