16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
18 lines
1.0 KiB
Plaintext
18 lines
1.0 KiB
Plaintext
Not specifying a timeout for regular expressions can lead to a Denial-of-Service attack.
|
|
Pass a timeout when using `System.Text.RegularExpressions` to process untrusted input because a malicious user might craft a value for which the evaluation lasts excessively long.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* the input passed to the regular expression is untrusted.
|
|
* the regular expression contains patterns vulnerable to https://www.regular-expressions.info/catastrophic.html[catastrophic backtracking].
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
* It is recommended to specify a https://learn.microsoft.com/dotnet/standard/base-types/best-practices#use-time-out-values[`matchTimeout`] when executing a regular expression.
|
|
* Make sure regular expressions are not vulnerable to Denial-of-Service attacks by reviewing the patterns.
|
|
* Consider using a non-backtracking algorithm by specifying https://learn.microsoft.com/dotnet/api/system.text.regularexpressions.regexoptions?view=net-7.0[`RegexOptions.NonBacktracking`].
|
|
|