Correction plugin is prone to regex denial of service

[ius]

The correction.py plugin uses regular expressions to match (and replace) user-supplied input.

A malicious user can use a complex regular expression to consume excessive resources and cause the bot to become unresponsive, eventually disconnecting from the network.

Proof of concept:
s/(.+)+x//

Simplifying the correction plugin to only support simple, non-regex replacements is the most obvious solution.

Reference: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

[dmptrluke]

Pinging the creator, @nasonfish

[nasonfish]

A temporary fix for this was pushed here: http://git.io/Aa9D and I'll look into a better fix so we still have some tools that can be useful for corrections that come with regular expressions.

[Red-M]

I'd recommend that we take a page from @lahwran and use google apps to do the replacement and still allow the option to do it locally via either unsafe regex or with the current method.

AKA add configuration options to allow for a selection on how to do it whether it be by google app engines, local regex or the current method that is in cloudbot right now.

EDIT: when you use local regex we should also display a warning to the console along with the reason why (link to stakexchange or other similar site showing the issue).
For when we send to google apps display a console message saying that we are sending lines to google to do the regex processing.
Basically do full disclosure of the issue and let the bot owner make the choice on how it operates for the time being until we get @lukeroge to make a multiprocessing sandbox for the regex replacement or soemthing else.