Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is the max regex length of expression#OperatorMatches always changing? #32619

Closed
Yannis-01 opened this issue Apr 11, 2024 · 3 comments
Closed

Why is the max regex length of expression#OperatorMatches always changing? #32619

Yannis-01 opened this issue Apr 11, 2024 · 3 comments
Labels
status: duplicate A duplicate of another issue

Comments

@Yannis-01
Copy link

spring version 5.3.25 no limit
spring version 5.3.26 is MAX_REGEX_LENGTH = 256
spring version 5.3.29 is MAX_REGEX_LENGTH = 1000

public class OperatorMatches extends Operator {

	private static final int PATTERN_ACCESS_THRESHOLD = 1000000;

	/**
	 * Maximum number of characters permitted in a regular expression.
	 * @since 5.2.23
	 */
	private static final int MAX_REGEX_LENGTH = 1000;

the notes are wrong too.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Apr 11, 2024
@snicoll
Copy link
Member

snicoll commented Apr 11, 2024

The limit was introduced to address CVE-2023-20861 and further expanded based on community feedback see #30265.

the notes are wrong too.

What "notes"?

@snicoll snicoll added the status: waiting-for-feedback We need additional information before we can continue label Apr 11, 2024
@Yannis-01
Copy link
Author

Thanks. I read the previous issue and I think the maximum value should be configurable. Otherwise, many systems will be affected.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 11, 2024
@snicoll
Copy link
Member

snicoll commented Apr 11, 2024

So I don't know what notes are wrong but if you provide the information we can look at it.

Making the value configurable was discussed in the linked issue and rejected.

@snicoll snicoll closed this as not planned Won't fix, can't repro, duplicate, stale Apr 11, 2024
@snicoll snicoll added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged or decided on status: feedback-provided Feedback has been provided labels Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@snicoll @spring-projects-issues @Yannis-01