Use secure alternatives for regex #176
Comments
|
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/35522 Performance is one concern, security and correctness are another. As part of this audit, it was found that most of the regexes we use were incorrect in some subtle way, or could be greatly simplified by either calling the libraries built-in string verification routines, or handling errors properly. A good example of this is https://adtmag.com/Blogs/Dev-Watch/2016/07/stack-overflow-crash.aspx bmcweb should be avoiding issues like these. |
edtanous
changed the title
|
Most uses of regex have been removed. For uses in non-deprecated options, there is one usage left in ethernet, which needs moved into the hostname-handling daemon. https://github.com/openbmc/bmcweb/search?q=std%3A%3Aregex |
Per [1] we really shouldn't be using regex. In the cases we do, it's a HUUUUUGE performance benefit to be compiling the regex ONCE. The only downside is a slight increase in memory usage. [1]: #176 Signed-off-by: Ed Tanous <[email protected]> Change-Id: I8644b8a07810349fb60bfa0258a13e815912a38e
We have been using the regex for validating an input string.
This issue is opened to address Ed's concern over the usage of regex -
Std::regex is slow, takes a lot of memory, and complicates things that should be simple. In most cases, there are much more performant alternatives that are more clear in code.
The text was updated successfully, but these errors were encountered: