Potential Vulnerability: Regular expression Denial of Service - ReDoS

[ganpatgutte]

Hello,

I came across a potential denial of service vulnerability, if a malicious expression is used the regular expression could run indefinite and may result in denial of service error.

internal class Detector
{
	private readonly ParserSettings _settings;

	private static readonly Regex IdentifiersDetectionRegex = new Regex(@"(?<id>@?[\p{L}\p{Nl}_][\p{L}\p{Nl}\p{Nd}\p{Mn}\p{Mc}\p{Pc}\p{Cf}_]*)", RegexOptions.Compiled);

	private static readonly string Id = IdentifiersDetectionRegex.ToString();
	private static readonly string Type = Id.Replace("<id>", "<type>");
	private static readonly Regex LambdaDetectionRegex = new Regex($@"(\((((?<withtype>({Type}\s+)?{Id}))(\s*,\s*)?)+\)|(?<withtype>{Id}))\s*=>", RegexOptions.Compiled);

	private static readonly Regex StringDetectionRegex = new Regex(@"(?<!\\)?"".*?(?<!\\)""", RegexOptions.Compiled);
	private static readonly Regex CharDetectionRegex = new Regex(@"(?<!\\)?'.{1,2}?(?<!\\)'", RegexOptions.Compiled);

Solution: Restricting or adding some timeout while declaring regex would help avoid the denial of service issue.

your thoughts please!

[davideicardi]

Thank you @ganpatgutte for the report.
By default I think that regular expression are not enabled, see here. This problem is only when someone reference the regular expression type. Right?

Or do you see cases where some injected text could cause this vulnerability?