Avoid ReDOS attacks

Question

Avoid ReDOS attacks

ddlogesh opened this issue 4 years ago · 4 comments

As we are using regex to identify the pattern, it is recommended to have input(user-agent) size restriction to avoid ReDOS attacks.

Answer 1 · 2020-09-23T05:10:33.000Z

@ddlogesh I think that's a good idea. How much do you think it's a fair size? I'm leaning towards something small like 1024 bytes, but configurable.

Answer 2 · 2020-09-23T05:14:30.000Z

I was testing with few datasets from various devices & platforms and nothing crossed 256 characters. So, we can have max-size as 256 along with customization.
So, if the user feels to increase/decrease the size, it should be done.

Answer 3 · 2020-09-23T05:15:48.000Z

OK, let's err to a bigger size, like 512 bytes. Anyone more conservative can always set a lower size.

Answer 4 · 2020-09-23T05:17:18.000Z

Yeah, it makes sense