Hacker News new | past | comments | ask | show | jobs | submit login

You need to put a time limit on your regex execution no matter what, if you're parsing untrusted input.



Not necessarily. But it's complicated. See: https://docs.rs/regex/latest/regex/#untrusted-input

One of the key advantages of a regex engine based on finite automata is that it lets you make guarantees about the runtime performance of a search.


Okay, let me amend my comment. If you have a degree in CS, you're absolutely sure that you've understood all the caveats of the libraries you're using, and you limit your inputs so that the expected running time is under your target execution time, then you can avoid putting a timeout on your regex executions. In any other case, add a timeout.


I certainly wouldn't agree with that at all. And I don't see what a "degree in CS" has to do with anything.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: