Regex operations need timeout

[VahidN]

Consider these samples:

var emailAddressRegex = new Regex(@"^[A-Za-z0-9]([_\.\-]?[A-Za-z0-9]+)*\@[A-Za-z0-9]([_\.\-]?[A-Za-z0-9]+)*\.[A-Za-z0-9]([_\.\-]?[A-Za-z0-9]+)*$|^$");
if (emailAddressRegex.IsMatch("an.infinite.loop.sample.just_for.test"))
{
    Console.WriteLine("Matched!");
}

// Or

var input = "The quick brown fox jumps";
var pattern = @"([a-z ]+)*!";
if (Regex.IsMatch(input, pattern))
{
    Console.WriteLine("Matched!");
}

Both of them will create an infinite loop and they will cause 100% CPU usage.
More info:
Runaway Regular Expressions: Catastrophic Backtracking
Best Practices for Regular Expressions in the .NET Framework

Solution:
Suggest adding timeouts to Regular Expressions.

Regex regexpr = new Regex("[A-Z ]{10}", RegexOptions.Singleline, TimeSpan.FromMilliseconds(1));  

[h3xstream]

I think it would be a good trade off to only enforce the timeout if the RegEx use is at risk.

RegEx at risk typically follow the pattern (a+)+ or (b*)*.

[Siderale]

I am investigating this one @h3xstream

http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf

[h3xstream]

@Siderale Make sure you use TaintAnalysis extension.

[VahidN]

I think Regex DOS (ReDOS) and its tests can be used as an inspiration.