The Integer-Overflow (IOF) vulnerability family is responsible for a dominant part of C/C++ code vulnerabilities, as I shown in my previous post with a specific example. However, the Integer vulnerability class has more than IOFs in it, and this will be the topic of this post.
Regular expressions, or regex, are patterns used commonly for string matching. Although there are several flavors for the regex syntax, the basic building blocks of the pattern language stay roughly the same. While the use of regex for string matching is wide spread, it’s somewhat complicated syntax earned it several jokes, as in this xkcd, or in a comment I recently heard saying that “regex are write-only”, and are tough to read.
What most people don’t know is that the use of regex patterns, that are usually deployed on large input strings, can be sometimes vulnerable to regex Denial of Service (REDoS). A detailed example can be found in the postmortem report about the Stack Exchange outage from last July.