Reword some regex safety warnings#54621
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the .NET regular expression security guidance to avoid implying that timeouts alone protect against all hostile scenarios, and it adds clearer cross-links between related sections.
Changes:
- Rewords the shared regex warning include to focus on ReDoS risk and point readers to the best-practices guidance.
- Adds targeted warnings clarifying that NonBacktracking and timeouts mitigate expensive input, not malicious patterns.
- Updates the external reference from CISA DoS guidance to OWASP’s ReDoS-focused material.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| includes/regex.md | Updates the reusable warning text to reference OWASP ReDoS guidance and link to the best-practices page. |
| docs/standard/base-types/regular-expression-options.md | Adds a warning in the NonBacktracking section clarifying threat model and linking to trusted-pattern guidance. |
| docs/standard/base-types/best-practices-regex.md | Adds a consolidated security warning up front and a timeout-specific warning clarifying limitations vs. malicious patterns. |
|
I'm intentionally ignoring the markdownlint violations since I don't believe I changed the newlines in the file. (The original file started with a stray newline, and it didn't end with a newline.) If the reviewers want these addressed, just say the word! |
Co-authored-by: Andy (Steve) De George <67293991+adegeo@users.noreply.github.com>
Co-authored-by: Andy (Steve) De George <67293991+adegeo@users.noreply.github.com>
| The .NET regular expression engine is designed with the assumption that patterns are trusted, that is, they are authored or reviewed by the application developer, not supplied by end users or other untrusted sources. Patterns can cause excessive resource consumption regardless of the input text, and the regular expression engine does not attempt to guard against hostile patterns. | ||
| The .NET regular expression engine distinguishes *patterns* (the regular expression itself, such as `^[0-9A-Za-z]+$`) from the *input text* (the string being evaluated against the regular expression, such as `123AbC456`). These values are typically passed to the `Regex` APIs through arguments named *pattern* and *input*, respectively. | ||
|
|
||
| These APIs are designed with the assumption that patterns are trusted, that is, they are authored or reviewed by the application developer, not supplied by end users or other untrusted sources. Patterns can cause excessive resource consumption regardless of the input text, and the regular expression engine does not attempt to guard against hostile patterns. |
There was a problem hiding this comment.
I'm tempted to qualify, "Patterns can cause excessive resource consumption," with something like, "Some patterns," or, "Some features of regular expression patterns," but that just opens it up to needing to elaborate further on what "some" means. Unless you have suggestions on how to adequately qualify it, leaving it as-is is OK with me.
I'm updating regex docs across the various docs repos. This is one part of that update.
Changes:
Related PRs:
Internal previews