The details

Start...End time (UTC)
2023-05-12 07:00 - 07:30
Language
ja
Description about the talk
Just evaluating inefficient regular expressions may break your service - one with an exponential time complexity may cause a denial-of-service (ReDoS), depending on engines. Ruby had adopted a native algorithm like some of the major languages, leaving a risk of ReDoS. However, Ruby 3.2 introduced drastic updates to the Regexp engine internals to reduce the risk. Ruby developers no longer need to be afraid of it for basic usage. To confirm the effectiveness of the language-level changes in addressing ReDoS, this talk will provide a case study by highlighting real ReDoS vulnerabilities in GitLab. Each was resolved in app-level approaches, but this talk will show how the vulnerabilities relate to the old engine's characteristics and how the new engine contributes to eliminating it at scale. The talk will also present recommended coding practices for Ruby users to avoid ReDoS vulnerabilities, considering attack vectors uncovered by the updates and the appropriate usage of timeouts.