I’m creating a blocking routing rule with many matchers to prevent dependency namespace confusion attacks. In my case this requires enumerating all component names that I’m trying to block, and there are a few hundred of those. The regex structure is as follows, so processing should be efficient:
/(comp-1|comp-2|…|comp-n)/.*
What is the maximum length of the matcher regex pattern? I’d like to use fewer matchers with more alternate component names in each, but I don’t want exceed whatever the limit of the regex pattern length is.
I don’t believe we enforce a limit, it would default to whatever the underlying JDK supports. However you should be cautious of this approach as it may be expensive, and potentially lead to a ReDoS.
Sonatype’s Firewall product includes protection namespace attacks.
Thanks @mpiggott, I was aware of ReDoS being a potential issue. My regex doesn’t contain any of the Evil patterns, therefore, not likely to be vulnerable, although I could change to using a non-capturing group. I’ll introduce these rules gradually while monitoring the service performance.
When you say, “whatever the underlying JDK supports”, do you mean any particular Java class?
Currently for the regular expression evaluation we’re using Pattern (Java Platform SE 8 ) . I’m not sure if any Java implementations have limitations on the size of expressions.