ossf / secure-sw-dev-fundamentals

Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)
Creative Commons Attribution 4.0 International
179 stars 46 forks source link

Regex ReDos test answer is incomplete/incorrect #127

Open wdoekes opened 1 year ago

wdoekes commented 1 year ago

The question about resolving the ReDos requests a change from ^(PATTERN+)*$ to ^PATTERN+$, but that is not entirely correct.

The correct option would be: ^(PATTERN+)$ because it keeps the capture group that part of the software could rely on.

Compare these:

>>> re.match(r'^([a-z]+)*$', 'zzz').groups()[0]
'zzz'

>>> re.match(r'^([a-z]+)$', 'zzz').groups()[0]
'zzz'

>>> re.match(r'^[a-z]+$', 'zzz').groups()[0]
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
IndexError: tuple index out of range

(I realise just now that this might not be the correct place to file this. I was checking the developing-secure-software-lfd121 content. If I'm in the wrong place, I am sorry.)