Skip to content

[Task] Add timeout protection and documentation for RegexPredicateJudge #6404

Description

@Aias00

Description

RegexPredicateJudge.judge() evaluates rule/selector conditions using Pattern.matches(regex, input) with no timeout. The input (realData) is fully attacker-controlled via the incoming HTTP request (URI path, headers, query parameters, etc.). A regex condition with catastrophic backtracking potential (e.g., ([a-zA-Z]+)*$) configured by an Admin can be exploited by an external attacker to pin Netty worker threads indefinitely, causing gateway-wide availability degradation.
Affected File:

shenyu-plugin/shenyu-plugin-base/src/main/java/org/apache/shenyu/plugin/base/condition/judge/RegexPredicateJudge.java
Proposed Change:

Add a configurable match timeout in RegexPredicateJudge.judge(). If the match does not complete within the timeout, return false and log a warning.
Add regex safety validation in RuleServiceImpl and SelectorServiceImpl when saving conditions with operator=regex. At minimum, verify the pattern compiles without error. Optionally, reject known dangerous patterns (nested quantifiers).
Add documentation guidance on safe regex pattern writing for rule/selector conditions.

Acceptance Criteria:

A catastrophically backtracking regex condition does not permanently pin a Netty worker thread.
Admin-configured regex patterns are validated at save time.
Official documentation includes a section on safe regex usage in conditions.

Task List

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions