Skip to content

Reword some regex safety warnings#12848

Open
GrabYourPitchforks wants to merge 1 commit into
mainfrom
levib/update_regex_docs
Open

Reword some regex safety warnings#12848
GrabYourPitchforks wants to merge 1 commit into
mainfrom
levib/update_regex_docs

Conversation

@GrabYourPitchforks

@GrabYourPitchforks GrabYourPitchforks commented Jul 2, 2026

Copy link
Copy Markdown
Member

I'm updating regex docs across the various docs repos. This is one part of that update.

Changes:

  • Remove misleading guidance that timeout values are appropriate ways to guard against all hostile values.
  • Consolidate the warnings to the Regex type rather than just two specific constructors.
  • Update external link from CISA to OWASP. The CISA guidance is primarily DDoS-related, which isn't quite relevant to the discussion here. OWASP's discussion is geared specifically toward ReDoS, which is on point.

Related PRs:

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the .NET API reference documentation to present more accurate guidance about regular expression safety, consolidating the primary warning at the Regex type level and updating an external reference to a ReDoS-focused resource.

Changes:

  • Converts Regex type-level remarks to Markdown and adds a centralized warning about using Regex with untrusted input, linking to OWASP ReDoS guidance.
  • Removes the prior constructor-level warning text that implied timeouts are a sufficient defense against all hostile inputs.
  • Tweaks RegexOptions.NonBacktracking summary text to point readers to the “Non-Backtracking mode” section of the options article.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
xml/System.Text.RegularExpressions/RegexOptions.xml Clarifies the NonBacktracking option summary with a more specific docs pointer.
xml/System.Text.RegularExpressions/Regex.xml Centralizes and rewords regex safety guidance in the type-level remarks and removes redundant constructor warnings.

@BillWagner BillWagner requested review from adegeo and gewarren July 2, 2026 14:16

@gewarren gewarren left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know why the GitOps policy we have to prevent edits to these files didn't fire, but System.Text.RegularExpressions has its source of truth for docs in the dotnet/runtime repo as of a few weeks ago. So please make these changes there instead: https://github.com/dotnet/runtime/blob/0a8142e2de2a05ac170dac8e9edffb41d059463b/src/libraries/System.Text.RegularExpressions/src/System/Text/RegularExpressions/Regex.cs#L24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants