Hacker News new | past | comments | ask | show | jobs | submit login

Because it is a mechanism for ReDOS, and the standard library should not be introducing vulnerabilities into users. Other libraries can implement it for folks who decide they really need it.



You need to put a time limit on your regex execution no matter what, if you're parsing untrusted input.


Not necessarily. But it's complicated. See: https://docs.rs/regex/latest/regex/#untrusted-input

One of the key advantages of a regex engine based on finite automata is that it lets you make guarantees about the runtime performance of a search.


Okay, let me amend my comment. If you have a degree in CS, you're absolutely sure that you've understood all the caveats of the libraries you're using, and you limit your inputs so that the expected running time is under your target execution time, then you can avoid putting a timeout on your regex executions. In any other case, add a timeout.


I certainly wouldn't agree with that at all. And I don't see what a "degree in CS" has to do with anything.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: