Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
s5
-
None
-
None
Description
Anywhere that we use a * or + in a regex, we need to replace it by
{0,N}or
{1, N}where N is a tunable constant taken from daffodil.compiler.Compiler object (where all the other tunable constants live).
This is to eliminate the issue that regex's can be exploited to crash/disable software by making them either too slow, or blowing up some buffer capacity.
Where a + or * will match characters that are part of a delimiter there should be a constant for maximum delimiter size. Where a + or * will match simple type content, there should be a maximum simple element size. (These are all measured in characters I believe.). Where a + or * will match complexContent size, there should be a different maximum complex content size.