Add way to terminate long-running execution

logstash-plugins / logstash-filter-grok

Grok plugin to parse unstructured (log) data into something structured.

https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

Apache License 2.0

124 stars 98 forks source link

Add way to terminate long-running execution #82

Closed jordansissel closed 8 years ago

jordansissel commented 8 years ago

JRuby's Joni supports Java's Thread.interrupted(), so we have an option to interrupt long-running groks. Given some recent rise in reports of ReDoS's in grok that I've seen, I think we could make an option in grok to terminate a match if it takes longer than some configured timeout.

Proposal:

New setting: timeout - time after which to cancel the execution of a regexp.
New setting: tag_on_timeout string.
Info-level log on timeouts to show which text and pattern were interrupted.
Default timeout of 2 seconds of wallclock time
Default tag_on_timeout to _groktimeout

jsvd commented 8 years ago

We could also have some heuristics to scan the user defined grok pattern to look for smells like use of greedy patterns (e.g. .*), and/or uses of GREEDYDATA in the middle of said pattern

jordansissel commented 8 years ago

As an example of a regexp that executes poorly, here: https://github.com/jordansissel/experiments/blob/master/ruby/regexp/interrupt.rb#L3-L7

It's what I was using at the time to test a patch to Joni to make it interruptible.

andrewvc commented 8 years ago

@jordansissel should we also tag this with a _grokparsefailure?

nellicus commented 8 years ago

any chance that the incriminated regex can be printed out?

magicdude4eva commented 7 years ago

Perhaps related - I just can't see why this grok-pattern would time out: https://github.com/logstash-plugins/logstash-filter-grok/issues/99

andrewvc commented 7 years ago

@nellicus can you open that up as a new ticket and link it here? Good idea!

nellicus commented 7 years ago

done @andrewvc thanks