Skip to content

Clarify regex warnings#130271

Open
GrabYourPitchforks wants to merge 2 commits into
mainfrom
levib/update_regex_docs
Open

Clarify regex warnings#130271
GrabYourPitchforks wants to merge 2 commits into
mainfrom
levib/update_regex_docs

Conversation

@GrabYourPitchforks

@GrabYourPitchforks GrabYourPitchforks commented Jul 7, 2026

Copy link
Copy Markdown
Member

Doc changes only. No code changes.

I'm updating regex docs across the various docs repos. This is one part of that update.

Changes:

  • Put a DoS warning on the type itself with forward links to relevant info.
  • (Still trying to figure out where to remove the vestigial ctor-level warnings.)
  • Update external link from CISA to OWASP. The CISA guidance is primarily DDoS-related, which isn't quite relevant to the discussion here. OWASP's discussion is geared specifically toward ReDoS, which is on point.

Related PRs:

@GrabYourPitchforks

Copy link
Copy Markdown
Member Author

@gewarren Here's the other PR you suggested I open.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates in-source XML documentation for System.Text.RegularExpressions to better surface security guidance and to improve links to Learn content.

Changes:

  • Update RegexOptions.NonBacktracking documentation to reference the relevant “NonBacktracking mode” section in the Learn article.
  • Replace Regex type remarks with markdown-formatted remarks that include a prominent ReDoS/DoS warning and links to best practices.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/libraries/System.Text.RegularExpressions/src/System/Text/RegularExpressions/RegexOptions.cs Tweaks the doc comment for NonBacktracking to point readers at the relevant Learn section.
src/libraries/System.Text.RegularExpressions/src/System/Text/RegularExpressions/Regex.cs Updates type-level remarks to markdown and adds a security warning plus forward links.

Copilot AI review requested due to automatic review settings July 7, 2026 00:08

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

Comment on lines +22 to +27
/// <remarks><format type="text/markdown"><![CDATA[
/// The <xref:System.Text.RegularExpressions.Regex> class represents the .NET regular expression engine. It can be used to quickly parse large amounts of text to find specific character patterns; to extract, edit, replace, or delete text substrings; and to add the extracted strings to a collection to generate a report.
///
/// > [!WARNING]
/// > Unrestricted use of this class with untrusted input can subject applications to [denial-of-service attacks](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS). Consult [Best practices for regular expressions in .NET](https://learn.microsoft.com/dotnet/standard/base-types/best-practices-regex) for guidance on how to safely use this class with untrusted input.
/// ]]></format></remarks>

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reasonable suggestion from Copilot here.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Copilot Code Review

Holistic Assessment

Motivation: Well-justified. Adding a prominent ReDoS security warning at the Regex type level is valuable — it surfaces the risk before developers reach individual APIs. The OWASP link is more appropriate than the prior CISA reference since it targets ReDoS specifically.

Approach: Correct. Uses the established <format type="text/markdown"><![CDATA[...]]> pattern already present in sibling Regex.Match.cs, and the > [!WARNING] admonition is standard for learn.microsoft.com docs rendering.

Summary: ✅ LGTM. This is a well-scoped, documentation-only change that improves security guidance without risk. The format matches existing patterns in the same file area, and the content is accurate.


Detailed Findings

Detailed Findings

✅ Documentation Format — Matches existing codebase patterns

The CDATA markdown approach (<remarks><format type="text/markdown"><![CDATA[...]]></format></remarks>) is consistent with Regex.Match.cs line 445+. The <xref:...> syntax and > [!WARNING] admonition block are standard for the docs rendering pipeline.

✅ RegexOptions.cs — Correct section title reference

The text now reads "NonBacktracking mode" section in the which accurately identifies the section heading in the linked Regular Expression Options article. This was fixed in the follow-up typo commit.

💡 URL consistency — Minor observation

The new warning links to (learn.microsoft.com/redacted) while the existing (related)element at the bottom links to.../best-practices`. These appear to be different slugs; given this is part of a coordinated multi-repo docs update (per the PR description), this is presumably intentional.

💡 Line wrapping — Already flagged by existing reviewer

The long single-line paragraph and warning in the new (remarks) block differs from the wrapped style used in Regex.Match.cs. An existing review thread already covers this observation.

Note

This review was generated by GitHub Copilot.

Generated by Code Review for issue #130271 · ● 14M ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants