rspec/rules/S6444/description.adoc

Not specifying a timeout for regular expressions can lead to a Denial-of-Service attack.
Pass a timeout when using `System.Text.RegularExpressions` to process untrusted input because a malicious user might craft a value for which the evaluation lasts excessively long.

== Ask Yourself Whether

* the input passed to the regular expression is untrusted.
* the regular expression contains patterns vulnerable to https://www.regular-expressions.info/catastrophic.html[catastrophic backtracking].

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

* It is recommended to specify a https://learn.microsoft.com/dotnet/standard/base-types/best-practices#use-time-out-values[`matchTimeout`] when executing a regular expression.
* Make sure regular expressions are not vulnerable to Denial-of-Service attacks by reviewing the patterns.
* Consider using a non-backtracking algorithm by specifying https://learn.microsoft.com/dotnet/api/system.text.regularexpressions.regexoptions?view=net-7.0[`RegexOptions.NonBacktracking`].
Create rule S6444: RegEx evaluation should have a time out specified (#1188) 2022-12-15 11:55:35 +01:00			`Not specifying a timeout for regular expressions can lead to a Denial-of-Service attack.`
			Pass a timeout when using `System.Text.RegularExpressions` to process untrusted input because a malicious user might craft a value for which the evaluation lasts excessively long.

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== Ask Yourself Whether`

			`* the input passed to the regular expression is untrusted.`
			`* the regular expression contains patterns vulnerable to https://www.regular-expressions.info/catastrophic.html[catastrophic backtracking].`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			* It is recommended to specify a https://learn.microsoft.com/dotnet/standard/base-types/best-practices#use-time-out-values[`matchTimeout`] when executing a regular expression.
			`* Make sure regular expressions are not vulnerable to Denial-of-Service attacks by reviewing the patterns.`
			* Consider using a non-backtracking algorithm by specifying https://learn.microsoft.com/dotnet/api/system.text.regularexpressions.regexoptions?view=net-7.0[`RegexOptions.NonBacktracking`].
Create rule S6444: RegEx evaluation should have a time out specified (#1188) 2022-12-15 11:55:35 +01:00