| daniel added a comment. |
In T176312#3630934, @Lucas_Werkmeister_WMDE wrote:If we’re going to check the regexes on a microservice, then we might as well use PCRE IMHO, for compatibility’s sake. I don’t think any of the regular regexes on Wikidata result in catastrophic runtime behavior, so if that risk is already mitigated by the microservice, I don’t think we need the extra protection+restrictions of RE2.
That would allow an attacker user to bring down the microservice using a regex crafted for catastrophic backtracking. This is not just about protection against ignorance, it's also about protection against malice.
Of course, bringing down just that service is a lot better than bringing down the application server. But still, if we can protect against that, we should.
TASK DETAIL
EMAIL PREFERENCES
To: daniel
Cc: Anomie, Smalyshev, tstarling, daniel, GWicke, Joe, Lucas_Werkmeister_WMDE, Krinkle, Aklapper, GoranSMilovanovic, QZanden, Agabi10, Izno, SBisson, Wikidata-bugs, aude, jayvdb, fbstj, RobLa-WMF, santhosh, Jdforrester-WMF, Mbch331, Rxy, Jay8g, Ltrlg, bd808, Legoktm
Cc: Anomie, Smalyshev, tstarling, daniel, GWicke, Joe, Lucas_Werkmeister_WMDE, Krinkle, Aklapper, GoranSMilovanovic, QZanden, Agabi10, Izno, SBisson, Wikidata-bugs, aude, jayvdb, fbstj, RobLa-WMF, santhosh, Jdforrester-WMF, Mbch331, Rxy, Jay8g, Ltrlg, bd808, Legoktm
_______________________________________________ Wikidata-bugs mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
