rack
Potential Polynomial regex used (says CodeQL)
Due to https://github.com/rack/rackup/issues/13 (and other version dependency issues) we've been forced to vendor a "fake" version 1.0 that fixes that issue within our project, but CodeQL isn't very happy about the regex being used.
This is exactly the same code present in this repo in: https://github.com/rack/rackup/blob/main/lib/rackup/handler.rb#L107-L108
I don't see the issue since [A-Z]+ and [^A-Z] have no overlap... does anyone else see it or is this a false positive?
Ruby 3.2.something:
# 100mb of repeated "A"s
> bad_input="/super/man/#{"A"*100000000}/lives"; nil
=> nil
[14] pry(main)> Benchmark.measure { bad_input.match(/[A-Z]+[^A-Z]/) }.real
=> 0.8092678760003764
Seems plenty fast to me...
Oh CodeQL did say the problem was much improved with Ruby 3.2, let me try 3.1...
> bad_input="/super/man/#{"A"*100000000}/lives"; nil
=> nil
irb(main):007> RUBY_VERSION
=> "3.1.2"
irb(main):008> Benchmark.measure { bad_input.match(/[A-Z]+[^A-Z]/); }.real
=> 0.4945120000047609
irb(main):009> bad_input.match(/[A-Z]+[^A-Z]/)[0].size
=> 100000001
Still seems fine.
I also don't believe this input is ever "user controlled". However, I'd be fine for a PR to fix this if it doesn't significantly increase complexity.
@tenderlove you are an expert on these issues - is there anything we need to do here?
Since it's not user controlled, I'm not worried about it. If someone sends a PR to clean up the regex though I'm also happy to merge it
I agree, if anyone wants to make a PR, it would be welcome. Otherwise, I'll close this issue for now.