Skip to content

Reword some regex safety warnings#54621

Open
GrabYourPitchforks wants to merge 5 commits into
mainfrom
levib/update_regex_docs
Open

Reword some regex safety warnings#54621
GrabYourPitchforks wants to merge 5 commits into
mainfrom
levib/update_regex_docs

Conversation

@GrabYourPitchforks

@GrabYourPitchforks GrabYourPitchforks commented Jul 2, 2026

Copy link
Copy Markdown
Member

I'm updating regex docs across the various docs repos. This is one part of that update.

Changes:

  • Remove misleading guidance that timeout values are appropriate ways to guard against all hostile values.
  • Create links between security-relevant sections in the regex best practices guidance.
  • Update external link from CISA to OWASP. The CISA guidance is primarily DDoS-related, which isn't quite relevant to the discussion here. OWASP's discussion is geared specifically toward ReDoS, which is on point.

Related PRs:


Internal previews

📄 File 🔗 Preview link
docs/standard/base-types/best-practices-regex.md Best practices for regular expressions in .NET
docs/standard/base-types/regular-expression-options.md Options for regular expression

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the .NET regular expression security guidance to avoid implying that timeouts alone protect against all hostile scenarios, and it adds clearer cross-links between related sections.

Changes:

  • Rewords the shared regex warning include to focus on ReDoS risk and point readers to the best-practices guidance.
  • Adds targeted warnings clarifying that NonBacktracking and timeouts mitigate expensive input, not malicious patterns.
  • Updates the external reference from CISA DoS guidance to OWASP’s ReDoS-focused material.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
includes/regex.md Updates the reusable warning text to reference OWASP ReDoS guidance and link to the best-practices page.
docs/standard/base-types/regular-expression-options.md Adds a warning in the NonBacktracking section clarifying threat model and linking to trusted-pattern guidance.
docs/standard/base-types/best-practices-regex.md Adds a consolidated security warning up front and a timeout-specific warning clarifying limitations vs. malicious patterns.

Comment thread includes/regex.md Outdated
@GrabYourPitchforks

Copy link
Copy Markdown
Member Author

I'm intentionally ignoring the markdownlint violations since I don't believe I changed the newlines in the file. (The original file started with a stray newline, and it didn't end with a newline.)

If the reviewers want these addressed, just say the word!

Comment thread includes/regex.md Outdated

@adegeo adegeo left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor fix for path

Comment thread includes/regex.md Outdated
Co-authored-by: Andy (Steve) De George <67293991+adegeo@users.noreply.github.com>
@adegeo adegeo enabled auto-merge (squash) July 7, 2026 00:26
@GrabYourPitchforks GrabYourPitchforks requested a review from adegeo July 7, 2026 00:27
Comment thread includes/regex.md
Co-authored-by: Andy (Steve) De George <67293991+adegeo@users.noreply.github.com>
The .NET regular expression engine is designed with the assumption that patterns are trusted, that is, they are authored or reviewed by the application developer, not supplied by end users or other untrusted sources. Patterns can cause excessive resource consumption regardless of the input text, and the regular expression engine does not attempt to guard against hostile patterns.
The .NET regular expression engine distinguishes *patterns* (the regular expression itself, such as `^[0-9A-Za-z]+$`) from the *input text* (the string being evaluated against the regular expression, such as `123AbC456`). These values are typically passed to the `Regex` APIs through arguments named *pattern* and *input*, respectively.

These APIs are designed with the assumption that patterns are trusted, that is, they are authored or reviewed by the application developer, not supplied by end users or other untrusted sources. Patterns can cause excessive resource consumption regardless of the input text, and the regular expression engine does not attempt to guard against hostile patterns.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm tempted to qualify, "Patterns can cause excessive resource consumption," with something like, "Some patterns," or, "Some features of regular expression patterns," but that just opens it up to needing to elaborate further on what "some" means. Unless you have suggestions on how to adequately qualify it, leaving it as-is is OK with me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants