This PR corrects a regex used for IPv4 addresses used in http_servers.xml. The regex failed to escape a . and could DoS the parser when processing very long numeric sequences.
The PR correctly escapes the period and limits the number of repeating digits allowed before the match fails.
rspec with built in example tests. I have also tested the regex with Go and Rust online regex testers. Both of these languages use the RE2 engine by default.
Types of changes
Bug fix (non-breaking change which fixes an issue)
Checklist:
[x] I have updated the documentation accordingly (or changes are not required).
[x] I have added tests to cover my changes (or new tests are not required).
Description
This PR corrects a regex used for IPv4 addresses used in
http_servers.xml
. The regex failed to escape a.
and could DoS the parser when processing very long numeric sequences.The PR correctly escapes the period and limits the number of repeating digits allowed before the match fails.
This issue was highlighted in a PR to
recog-java
here: https://github.com/rapid7/recog-java/pull/7Motivation and Context
Bug fix, performance improvement
How Has This Been Tested?
rspec
with built inexample
tests. I have also tested the regex with Go and Rust online regex testers. Both of these languages use the RE2 engine by default.Types of changes
Checklist: