Is Regexp.new (user_input) in ruby safe?

Question

Is Regexp.new (user_input) in ruby safe?

Is it safe to create an object Regexp

from a custom request directly or do I need to do some checks first? The documentation doesn't say much about one or the other.

+3

security ruby

taw June 11. 17 at 19:45

source to share

1 answer

Horacio Branciforte · Answer 1 · 2017-06-11T22:13:34+0000

Sounds good if you allow any regexp to be created may be unsafe (possibly DOS reason) as regexp can be cpu intensive.

I would not like my client to be free to create their own regex.

https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

Is Regexp.new (user_input) in ruby ​​safe?

More articles:

Is Regexp.new (user_input) in ruby safe?