Skip to content

Reword some regex safety warnings#54621

Open
GrabYourPitchforks wants to merge 1 commit into
mainfrom
levib/update_regex_docs
Open

Reword some regex safety warnings#54621
GrabYourPitchforks wants to merge 1 commit into
mainfrom
levib/update_regex_docs

Conversation

@GrabYourPitchforks

@GrabYourPitchforks GrabYourPitchforks commented Jul 2, 2026

Copy link
Copy Markdown
Member

I'm updating regex docs across the various docs repos. This is one part of that update.

Changes:

  • Remove misleading guidance that timeout values are appropriate ways to guard against all hostile values.
  • Create links between security-relevant sections in the regex best practices guidance.
  • Update external link from CISA to OWASP. The CISA guidance is primarily DDoS-related, which isn't quite relevant to the discussion here. OWASP's discussion is geared specifically toward ReDoS, which is on point.

Related PRs:


Internal previews

📄 File 🔗 Preview link
docs/standard/base-types/best-practices-regex.md Best practices for regular expressions in .NET
docs/standard/base-types/regular-expression-options.md Options for regular expression

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the .NET regular expression security guidance to avoid implying that timeouts alone protect against all hostile scenarios, and it adds clearer cross-links between related sections.

Changes:

  • Rewords the shared regex warning include to focus on ReDoS risk and point readers to the best-practices guidance.
  • Adds targeted warnings clarifying that NonBacktracking and timeouts mitigate expensive input, not malicious patterns.
  • Updates the external reference from CISA DoS guidance to OWASP’s ReDoS-focused material.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
includes/regex.md Updates the reusable warning text to reference OWASP ReDoS guidance and link to the best-practices page.
docs/standard/base-types/regular-expression-options.md Adds a warning in the NonBacktracking section clarifying threat model and linking to trusted-pattern guidance.
docs/standard/base-types/best-practices-regex.md Adds a consolidated security warning up front and a timeout-specific warning clarifying limitations vs. malicious patterns.

Comment thread includes/regex.md
@GrabYourPitchforks

Copy link
Copy Markdown
Member Author

I'm intentionally ignoring the markdownlint violations since I don't believe I changed the newlines in the file. (The original file started with a stray newline, and it didn't end with a newline.)

If the reviewers want these addressed, just say the word!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants