How can I use this tool properly?

[NapoliN]

I read the paper with great interest. I looked for it because it said that the implementation was publicly available, and I found this repository. When I actually used it, the behavior was different from what I expected.

For example, the regular expression ^(a|ab)+$, which was shown to be True Negative in the paper, seems to be wrongly detected as EOLS in the static analysis part. Note that this example is reported as Negative because the dynamic analysis cannot generate a valid attack string. However, I believe that if it is as described in the paper, it should be found negative in the static analysis portion.

Here is the code I ran before I used the tool.

mvn compile
mvn install
java -classpath target/Rengar-1.0-jar-with-dependencies.jar --enable-preview rengar.cli.Main -s XihhfGFiKSs=

Here, XihhfGFiKSs= is the result of base64 encoding of the regular expression ^(a|ab)+$. Am I executing it incorrectly? If so, I would like to know how to build and execute it correctly.

Referring to the code, I considered the possibility that Rengar-fold was being called because the part of the code written in reference to the ReDoSHunter implementation, which is a prior study, was being executed. I am also curious about the Unfold implementation and would like to know which file it is implemented in.

Translated with DeepL.com (free version)

[d1tto]

The current workflow is as follows:

• The static analysis is still analyzing the regex structure. If it detects a candidate, the corresponding patterns is generated.
• The path intersection is then used to generate the string (see this method).

The code with semantic checking is missing and cannot be found on your computer, but you can use the StringGenerator class to implement the idea in the paper, which is straightforward. Using EOLS as an example, you can generate paths for each branch and then determine if there is an intersection.

[xcv0603]

Thank you for your comment. I have a question while implementing EOLS. As you mentioned, using StringGenerator to obtain the path for branches and then determining the intersection seems to work well, but I am wondering if this pattern can include NQ pattern (exponential). For example, in the case of (a)c, there are no branches and only one subregex 'a*' , so there is no subregex to compare with. Doesn't this mean it cannot be included in EOLS? In the Paper, It is mentioned that all exponential patterns can be included with on type of EOLS pattern, which raises my question. Thank you!