introduce ADA_USE_UNSAFE_STD_REGEX_PROVIDER flag for security

CMakeLists.txt

@@ -13,15 +13,10 @@ include(GNUInstallDirs)
 include(CTest)
 include(cmake/ada-flags.cmake)
 
-set(ADA_SOURCE_DIR src)
-
 add_subdirectory(src)
 
 set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/scripts/cmake)
 
-option(ADA_BENCHMARKS "Build benchmarks" OFF)
-option(ADA_TESTING "Build tests" OFF)
-
 # There are cases where when embedding ada as a dependency for other CMake
 # projects as submodules or subdirectories (via FetchContent) can lead to
 # errors due to CPM, so this is here to support disabling all the testing
@@ -57,6 +52,7 @@ if(ADA_TESTING OR ADA_BENCHMARKS OR ADA_TOOLS)
 
   if (ADA_TESTING AND NOT EMSCRIPTEN)
     set(CTEST_TEST_TIMEOUT 5)
+    set(ADA_USE_UNSAFE_STD_REGEX_PROVIDER ON)
     message(STATUS "The tests are enabled.")
     add_subdirectory(tests)
   else()
@@ -82,6 +78,16 @@ endif()
 
 add_library(ada::ada ALIAS ada)
 
+if(ADA_TESTING)
+  # IMPORTANT!
+  #
+  # We enable std_regex_provider for testing purposes
+  # It is not recommended to enable this flag and use std::regex under
+  # production environments due to several security issues.
+  #
+  target_compile_definitions(ada PUBLIC ADA_USE_UNSAFE_STD_REGEX_PROVIDER=ON)
+endif()
+
 set_target_properties(
   ada PROPERTIES
   VERSION "${ADA_LIB_VERSION}"

cmake/ada-flags.cmake

@@ -16,6 +16,9 @@ if(ADA_SANITIZE_UNDEFINED)
 endif()
 option(ADA_COVERAGE "Compute coverage" OFF)
 option(ADA_TOOLS "Build cli tools (adaparse)" OFF)
+option(ADA_BENCHMARKS "Build benchmarks" OFF)
+option(ADA_TESTING "Build tests" OFF)
+option(ADA_USE_UNSAFE_STD_REGEX_PROVIDER "Enable unsafe regex provider that uses std::regex" OFF)
 
 if (ADA_COVERAGE)
     message(STATUS "You want to compute coverage. We assume that you have installed gcovr.")

fuzz/build.sh

@@ -37,12 +37,23 @@ $CXX $CFLAGS $CXXFLAGS \
 $CXX $CFLAGS $CXXFLAGS $LIB_FUZZING_ENGINE url_search_params.o \
      -o $OUT/url_search_params
 
-$CXX $CFLAGS $CXXFLAGS \
+# IMPORTANT
+#
+# We use std_regex_provider for testing purposes.
+# It is not encouraged or recommended to be used within production
+# environments due to security problems.
+#
+# Please do not enable it on production systems!
+#
+$CXX -DADA_USE_UNSAFE_STD_REGEX_PROVIDER=1 \
+     $CFLAGS $CXXFLAGS \
      -std=c++20 \
      -I build/singleheader \
      -c fuzz/url_pattern.cc -o url_pattern.o
 
-$CXX $CFLAGS $CXXFLAGS $LIB_FUZZING_ENGINE url_pattern.o \
+$CXX -DADA_USE_UNSAFE_STD_REGEX_PROVIDER=1 \
+     $CFLAGS $CXXFLAGS $LIB_FUZZING_ENGINE \
+     url_pattern.o \
      -o $OUT/url_pattern
 
 $CXX $CFLAGS $CXXFLAGS \

include/ada/url_pattern_regex.h

@@ -6,7 +6,10 @@
 #define ADA_URL_PATTERN_REGEX_H
 
 #include <concepts>
+
+#ifdef ADA_USE_UNSAFE_STD_REGEX_PROVIDER
 #include <regex>
+#endif  // ADA_USE_UNSAFE_STD_REGEX_PROVIDER
 
 namespace ada::url_pattern_regex {
 
@@ -38,6 +41,7 @@ concept regex_concept = requires(T t, std::string_view pattern,
   { T(std::declval<T&&>()) } -> std::same_as<T>;
 };
 
+#ifdef ADA_USE_UNSAFE_STD_REGEX_PROVIDER
 class std_regex_provider {
  public:
   std_regex_provider() = default;
@@ -48,6 +52,7 @@ class std_regex_provider {
       std::string_view input, const regex_type& pattern);
   static bool regex_match(std::string_view input, const regex_type& pattern);
 };
+#endif  // ADA_USE_UNSAFE_STD_REGEX_PROVIDER
 
 }  // namespace ada::url_pattern_regex
 

src/url_pattern_regex.cpp

@@ -1,7 +1,8 @@
-#include <regex>
 #include "ada/url_pattern_regex.h"
 
 namespace ada::url_pattern_regex {
+
+#ifdef ADA_USE_UNSAFE_STD_REGEX_PROVIDER
 std::optional<std::regex> std_regex_provider::create_instance(
     std::string_view pattern, bool ignore_case) {
   // Let flags be an empty string.
@@ -49,4 +50,6 @@ bool std_regex_provider::regex_match(std::string_view input,
   return std::regex_match(input.begin(), input.end(), pattern);
 }
 
+#endif  // ADA_USE_UNSAFE_STD_REGEX_PROVIDER
+
 }  // namespace ada::url_pattern_regex