reduce the scope of the fuzzer #846
Conversation
There was a problem hiding this comment.
I'm fine with landing this as is, but I think what the fuzzer is doing is correct. When inputs are getting larger and larger std::regex compile time doesn't increase linearly depending on the input size.
We can have std_regex_provider as the default regex but it's not recommended to be used in production systems at all, due to the possibility of having a DDoS using an unsafe input.
I recommend adding re2 as a dependency (which is enabled by a flag) and for others (such as nodejs and cloudflare workers) it is required to pass a custom regex_provider so we know that we don't actually have a path that can halt a system based on the input.
My impression is that re2 does not support the ECMAScript syntax. Rather it seems to support a subset of the Perl's syntax. https://github.com/google/re2/blob/6dcd83d60f7944926bfd308cc13979fc53dd69ca/doc/syntax.txt#L8 |
* reduce the scope of the fuzzer * lint
|
@lemire You are right. Then I propose keeping regex_provider but instead of making it OPT-OUT, let's make it OPT-IN with "ADA_ENABLE_URL_PATTERN=ON" and "ADA_ENABLE_STD_REGEX_PROVIDER=ON". By default we can make it disabled so anyone needs to specificy a provider rather than using the default value. This will discourage people to use std_regex_provider and taking the risk with it. |
I am concerned that the fuzzer is a bit too crazy.