the normal Regex will be cause this RegexStaticAnalysis hang up

[keyouhui]

the regex : ^[0-9]{0,65536}$ will be cause RegexStaticAnalysis hang up. please confirm the normal regex . but the tools SDL Regex Fuzzer v1.10 it will check the regex very fast.

[davisjam]

1. My vuln-regex-detector tools should support such a regex (by modeling large quantifications as a * or a +).

2. Can you share a copy of the regex fuzzer with me? I'm not sure where to find it.

On Mon, Jan 20, 2020, 2:47 AM keyouhui notifications@github.com wrote:

the regex : ^[0-9]{0,65536}$ will be cause RegexStaticAnalysis hang up. please confirm the normal regex . but the tools SDL Regex Fuzzer v1.10 it will check it very fast.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/NicolaasWeideman/RegexStaticAnalysis/issues/16?email_source=notifications&email_token=AFOD3LZHO3VROUJGTG4BVY3Q6VJJBA5CNFSM4KI7WWW2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IHIX4HQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFOD3L7WNWCW3RJVZF4LW4TQ6VJJBANCNFSM4KI7WWWQ .

[keyouhui]

1. My vuln-regex-detector tools should support such a regex (by modeling large quantifications as a * or a +). 2. Can you share a copy of the regex fuzzer with me? I'm not sure where to find it. … On Mon, Jan 20, 2020, 2:47 AM keyouhui @.**> wrote: the regex : ^[0-9]{0,65536}$* will be cause RegexStaticAnalysis hang up. please confirm the normal regex . but the tools SDL Regex Fuzzer v1.10 it will check it very fast. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#16?email_source=notifications&email_token=AFOD3LZHO3VROUJGTG4BVY3Q6VJJBA5CNFSM4KI7WWW2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IHIX4HQ>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFOD3L7WNWCW3RJVZF4LW4TQ6VJJBANCNFSM4KI7WWWQ .

^[0-9]{0,65536}$ this regex have you test the result ,is it will hang up ? I have test half one hour cannot print result.but other regex it is normal.

[davisjam]

1. That regex is safe.

2. Can you share the SDL regex fuzzer with me, or tell me where to find a download?

[keyouhui]

1. That regex is safe.
2. Can you share the SDL regex fuzzer with me, or tell me where to find a download?

yes,^[0-9]{0,65536}$ is safe.but the RegexStaticAnalysis check this regex will hang up. about SDL Regex Fuzzer you can search using google: https://www.microsoft.com/security/blog/2010/10/12/new-tool-sdl-regex-fuzzer/ it is microsoft tools.

[davisjam]

1. Yes, the regex is safe and this tool will hang on it. You can try my wrapper, vuln-regex-detector, here. It should work by applying the modeling I mentioned earlier.

2. I am aware of the Microsoft link, but as far as I know the tool itself has not been available for download in several years. Do you know of somewhere where I can obtain it?

[keyouhui]

1. vuln-regex-detector

How to use vuln-regex-detector ? is it java API ?I want verify regex whether ReDoS

[keyouhui]

1. Yes, the regex is safe and this tool will hang on it. You can try my wrapper, vuln-regex-detector, here. It should work by applying the modeling I mentioned earlier.
2. I am aware of the Microsoft link, but as far as I know the tool itself has not been available for download in several years. Do you know of somewhere where I can obtain it?

I have download the vuln-regex-detector source,but it is perl script. it is not java API

[davisjam]

It's a CLI. There's a web service if you want to set that up locally. Details in the project repo.

On Mon, Jan 20, 2020, 8:04 PM keyouhui notifications@github.com wrote:

1. vuln-regex-detector

How to use vuln-regex-detector ? is it java API ?I want verify regex whether ReDoS

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/NicolaasWeideman/RegexStaticAnalysis/issues/16?email_source=notifications&email_token=AFOD3LZUS7CKAIV2K6Y4J6TQ6ZC2FA5CNFSM4KI7WWW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJOFCQI#issuecomment-576475457, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFOD3L7SQGYZI7CHOB4CURTQ6ZC2FANCNFSM4KI7WWWQ .

[keyouhui]

It's a CLI. There's a web service if you want to set that up locally. Details in the project repo. … On Mon, Jan 20, 2020, 8:04 PM keyouhui @.***> wrote: 1. vuln-regex-detector How to use vuln-regex-detector ? is it java API ?I want verify regex whether ReDoS — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#16?email_source=notifications&email_token=AFOD3LZUS7CKAIV2K6Y4J6TQ6ZC2FA5CNFSM4KI7WWW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJOFCQI#issuecomment-576475457>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFOD3L7SQGYZI7CHOB4CURTQ6ZC2FANCNFSM4KI7WWWQ .

is it need support Perl command ? could you tell me how to use the CLI ?

[davisjam]

Please look over the project (link is above) and post questions as issues there.

On Tue, Jan 21, 2020, 8:11 AM keyouhui notifications@github.com wrote:

It's a CLI. There's a web service if you want to set that up locally. Details in the project repo. … <#m5346902187444226798> On Mon, Jan 20, 2020, 8:04 PM keyouhui @.***> wrote: 1. vuln-regex-detector How to use vuln-regex-detector ? is it java API ?I want verify regex whether ReDoS — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#16 https://github.com/NicolaasWeideman/RegexStaticAnalysis/issues/16?email_source=notifications&email_token=AFOD3LZUS7CKAIV2K6Y4J6TQ6ZC2FA5CNFSM4KI7WWW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJOFCQI#issuecomment-576475457>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFOD3L7SQGYZI7CHOB4CURTQ6ZC2FANCNFSM4KI7WWWQ .

is it need support Perl command ? could you tell me how to use the CLI ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/NicolaasWeideman/RegexStaticAnalysis/issues/16?email_source=notifications&email_token=AFOD3L6AKK2FNI7HBDUYYKDQ63X6XA5CNFSM4KI7WWW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJPVQXA#issuecomment-576673884, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFOD3L6Y6DTJ2VFMKZY5SM3Q63X6XANCNFSM4KI7WWWQ .

[keyouhui]

Please look over the project (link is above) and post questions as issues there. … On Tue, Jan 21, 2020, 8:11 AM keyouhui @.> wrote: It's a CLI. There's a web service if you want to set that up locally. Details in the project repo. … <#m5346902187444226798> On Mon, Jan 20, 2020, 8:04 PM keyouhui @.> wrote: 1. vuln-regex-detector How to use vuln-regex-detector ? is it java API ?I want verify regex whether ReDoS — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#16 <#16>?email_source=notifications&email_token=AFOD3LZUS7CKAIV2K6Y4J6TQ6ZC2FA5CNFSM4KI7WWW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJOFCQI#issuecomment-576475457>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFOD3L7SQGYZI7CHOB4CURTQ6ZC2FANCNFSM4KI7WWWQ . is it need support Perl command ? could you tell me how to use the CLI ? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#16?email_source=notifications&email_token=AFOD3L6AKK2FNI7HBDUYYKDQ63X6XA5CNFSM4KI7WWW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJPVQXA#issuecomment-576673884>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFOD3L6Y6DTJ2VFMKZY5SM3Q63X6XANCNFSM4KI7WWWQ .

-rwxrwxr-x. 1 kk kk 11556 Jan 22 15:15 check-regex.pl [kk@lfgphicprd07444 kk]$ ./check-regex.pl : No such file or directory [kk@lfgphicprd07444 kk]$ ./check-regex.pl -pattern a : No such file or directory

[keyouhui]

perl check-regex.pl Can't locate JSON/PP.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at check-regex.pl line 11. BEGIN failed--compilation aborted at check-regex.pl line 11.

[davisjam]

Open issues there if you have trouble understanding the documentation.

On Wed, Jan 22, 2020, 2:39 AM keyouhui notifications@github.com wrote:

perl check-regex.pl Can't locate JSON/PP.pm in @inc https://github.com/inc (@inc https://github.com/inc contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at check-regex.pl line 11. BEGIN failed--compilation aborted at check-regex.pl line 11.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/NicolaasWeideman/RegexStaticAnalysis/issues/16?email_source=notifications&email_token=AFOD3L74P4QS24F52WBDLQ3Q67Z2RA5CNFSM4KI7WWW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJSQ7SI#issuecomment-577048521, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFOD3LZCVTKGEAQIB2NTKETQ67Z2RANCNFSM4KI7WWWQ .