Description
RegexPredicateJudge.judge() evaluates rule/selector conditions using Pattern.matches(regex, input) with no timeout. The input (realData) is fully attacker-controlled via the incoming HTTP request (URI path, headers, query parameters, etc.). A regex condition with catastrophic backtracking potential (e.g., ([a-zA-Z]+)*$) configured by an Admin can be exploited by an external attacker to pin Netty worker threads indefinitely, causing gateway-wide availability degradation.
Affected File:
shenyu-plugin/shenyu-plugin-base/src/main/java/org/apache/shenyu/plugin/base/condition/judge/RegexPredicateJudge.java
Proposed Change:
Add a configurable match timeout in RegexPredicateJudge.judge(). If the match does not complete within the timeout, return false and log a warning.
Add regex safety validation in RuleServiceImpl and SelectorServiceImpl when saving conditions with operator=regex. At minimum, verify the pattern compiles without error. Optionally, reject known dangerous patterns (nested quantifiers).
Add documentation guidance on safe regex pattern writing for rule/selector conditions.
Acceptance Criteria:
A catastrophically backtracking regex condition does not permanently pin a Netty worker thread.
Admin-configured regex patterns are validated at save time.
Official documentation includes a section on safe regex usage in conditions.
Task List
No response
Description
RegexPredicateJudge.judge() evaluates rule/selector conditions using Pattern.matches(regex, input) with no timeout. The input (realData) is fully attacker-controlled via the incoming HTTP request (URI path, headers, query parameters, etc.). A regex condition with catastrophic backtracking potential (e.g., ([a-zA-Z]+)*$) configured by an Admin can be exploited by an external attacker to pin Netty worker threads indefinitely, causing gateway-wide availability degradation.
Affected File:
shenyu-plugin/shenyu-plugin-base/src/main/java/org/apache/shenyu/plugin/base/condition/judge/RegexPredicateJudge.java
Proposed Change:
Add a configurable match timeout in RegexPredicateJudge.judge(). If the match does not complete within the timeout, return false and log a warning.
Add regex safety validation in RuleServiceImpl and SelectorServiceImpl when saving conditions with operator=regex. At minimum, verify the pattern compiles without error. Optionally, reject known dangerous patterns (nested quantifiers).
Add documentation guidance on safe regex pattern writing for rule/selector conditions.
Acceptance Criteria:
A catastrophically backtracking regex condition does not permanently pin a Netty worker thread.
Admin-configured regex patterns are validated at save time.
Official documentation includes a section on safe regex usage in conditions.
Task List
No response