Add a servlet which can cause slow regular expression parse

src/main/java/performance/SlowRegularExpressionServlet.java

@@ -0,0 +1,77 @@
+package performance;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Date;
+import java.util.Locale;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.t246osslab.easybuggy.utils.Closer;
+import org.t246osslab.easybuggy.utils.HTTPResponseCreator;
+import org.t246osslab.easybuggy.utils.MessageUtils;
+
+@SuppressWarnings("serial")
+@WebServlet(urlPatterns = { "/slowre" })
+public class SlowRegularExpressionServlet extends HttpServlet {
+
+    private static Logger log = LoggerFactory.getLogger(SlowRegularExpressionServlet.class);
+
+    protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
+
+        PrintWriter writer = null;
+        try {
+            String word = req.getParameter("word");
+            Locale locale = req.getLocale();
+
+            StringBuilder bodyHtml = new StringBuilder();
+
+            bodyHtml.append("<form action=\"slowre\" method=\"post\">");
+            bodyHtml.append(MessageUtils.getMsg("description.test.regular.expression", locale));
+            bodyHtml.append("<br><br>");
+            bodyHtml.append("<img src=\"images/regular-expression.png\">");
+            bodyHtml.append("<br><br>");
+            bodyHtml.append(MessageUtils.getMsg("label.string", locale) + ": ");
+            bodyHtml.append("<input type=\"text\" name=\"word\" size=\"50\" maxlength=\"50\">");
+            bodyHtml.append("<br><br>");
+            bodyHtml.append("<input type=\"submit\" value=\"" + MessageUtils.getMsg("label.submit", locale) + "\">");
+            bodyHtml.append("<br><br>");
+
+            if (word != null && !word.equals("")) {
+                Date startDdate = new Date();
+                log.info("Start Ddate: " + startDdate.toString());
+                Pattern compile = Pattern.compile("^([a-z0-9]+[-]{0,1}){1,100}$");
+                Matcher matcher = compile.matcher(word);
+                boolean matches = matcher.matches();
+                Date endDdate = new Date();
+                log.info("End Ddate: " + endDdate.toString());
+                if (matches) {
+                    bodyHtml.append(MessageUtils.getMsg("msg.match.regular.expression", locale));
+                } else {
+                    bodyHtml.append(MessageUtils.getMsg("msg.not.match.regular.expression", locale));
+                }
+            } else {
+                bodyHtml.append(MessageUtils.getMsg("msg.enter.word", locale));
+            }
+            bodyHtml.append("<br><br>");
+            bodyHtml.append(MessageUtils.getMsg("msg.note.slow.regular.expression", locale));
+            bodyHtml.append("</form>");
+
+            HTTPResponseCreator.createSimpleResponse(res, MessageUtils.getMsg("title.slow.regular.expression.page", locale),
+                    bodyHtml.toString());
+
+        } catch (Exception e) {
+            log.error("Exception occurs: ", e);
+        } finally {
+            Closer.close(writer);
+        }
+    }
+}

src/main/resources/indexpage_en.properties

@@ -35,6 +35,8 @@ function.description.thread.leak=Thread leak occurs every time you load the page
 section.performance.issue=Performance Issue
 description.performance.issue=Issues for problems
 
+function.name.slow.regular.expression=Delay due to regular expression parse
+function.description.slow.regular.expression=It takes time to parse the regular expression if you enter a specific string.
 function.name.stop.the.world=Stop the World
 function.description.stop.the.world=Stop the World occurs after clicking this link.
 
@@ -44,7 +46,7 @@ description.vulnerabilities=XSS, SQL Injection, LDAP injection, and so on:
 function.name.xss=XSS
 function.description.xss=Cross site scripting occurs after entering a vulnerable string.
 function.name.sql.injection=SQL Injection
-function.description.sql.injection=SQL injection occurs when entering a vulnerable string.
+function.description.sql.injection=SQL injection occurs after entering a vulnerable string.
 function.name.ldap.injection=LDAP Injection
 function.description.ldap.injection=LDAP injection occurs after entering a vulnerable string.
 function.name.code.injection=Code Injection

src/main/resources/indexpage_ja.properties

@@ -35,6 +35,8 @@ function.description.thread.leak=\u30da\u30fc\u30b8\u3092\u30ed\u30fc\u30c9\u305
 section.performance.issue=\u6027\u80fd\u554f\u984c
 description.performance.issue=\u6027\u80fd\u306b\u95a2\u3059\u308b\u554f\u984c
 
+function.name.slow.regular.expression=\u6b63\u898f\u8868\u73fe\u89e3\u6790\u306b\u3088\u308b\u9045\u5ef6
+function.description.slow.regular.expression=\u7279\u5b9a\u306e\u6587\u5b57\u5217\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u6b63\u898f\u8868\u73fe\u306e\u89e3\u6790\u306b\u6642\u9593\u304c\u304b\u304b\u308a\u307e\u3059\u3002
 function.name.stop.the.world=\u30b9\u30c8\u30c3\u30d7 \u30b6 \u30ef\u30fc\u30eb\u30c9
 function.description.stop.the.world=\u3053\u306e\u30ea\u30f3\u30af\u3092\u30af\u30ea\u30c3\u30af\u3059\u308b\u3068\u3001\u30b9\u30c8\u30c3\u30d7 \u30b6 \u30ef\u30fc\u30eb\u30c9\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 

src/main/resources/messages_en.properties

@@ -75,3 +75,13 @@ title.sql.injection.page=Search your secret number
 title.truncation.error.page=Decimal division
 title.xss.page=Reverse your name
 user.table.column.names=Name, Secret Number
+
+
+msg.not.match.regular.expression=The input string does not match the regular expression.
+msg.match.regular.expression=The input string matches the regular expression.
+msg.enter.word=Please enter a string.
+msg.note.slow.regular.expression=(&nbsp;<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
+Parsing will take an amount of time if you set string to aaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042 )
+title.slow.regular.expression.page=Test Regular Expression
+description.test.regular.expression=Please test if an input string matches the regular expression ^([a-z0-9]+[-]{0,1}){1,100}$.
+label.string=String

src/main/resources/messages_ja.properties

@@ -75,3 +75,12 @@ title.sql.injection.page=\u6697\u8a3c\u756a\u53f7\u691c\u7d22
 title.truncation.error.page=\u5c0f\u6570\u306e\u5272\u308a\u7b97
 title.xss.page=\u540d\u524d\u306e\u9006\u8ee2
 user.table.column.names=\u540d\u524d, \u6697\u8a3c\u756a\u53f7
+
+
+msg.not.match.regular.expression=\u5165\u529b\u6587\u5b57\u5217\u306f\u6b63\u898f\u8868\u73fe\u306b\u4e00\u81f4\u3057\u307e\u305b\u3093\u3002
+msg.match.regular.expression=\u5165\u529b\u6587\u5b57\u5217\u306f\u6b63\u898f\u8868\u73fe\u306b\u4e00\u81f4\u3057\u307e\u3057\u305f\u3002
+msg.enter.word=\u6587\u5b57\u5217\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002
+msg.note.slow.regular.expression=\u6587\u5b57\u5217\u306b\u300caaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042\u300d\u3092\u8a2d\u5b9a\u3059\u308b\u3068\u69cb\u6587\u89e3\u6790\u306b\u6642\u9593\u304c\u304b\u308a\u307e\u3059\u3002
+title.slow.regular.expression.page=\u6b63\u898f\u8868\u73fe\u306e\u30c6\u30b9\u30c8
+description.test.regular.expression=\u6b63\u898f\u8868\u73fe\u300c^([a-z0-9]+[-]{0,1}){1,100}$\u300d\u306b\u4e00\u81f4\u3059\u308b\u6587\u5b57\u5217\u304b\u30c6\u30b9\u30c8\u3057\u3066\u4e0b\u3055\u3044\u3002
+label.string=\u6587\u5b57\u5217

src/main/webapp/index.jsp

@@ -188,6 +188,11 @@
 		<fmt:message key="description.performance.issue" />
 	</p>
 	<ul>
+		<li><p>
+			<a href="slowre" target="_blank"><fmt:message
+						key="function.name.slow.regular.expression" /></a>:
+			<fmt:message key="function.description.slow.regular.expression" />
+		</p></li>
 		<li><p>
 			<fmt:message key="function.name.stop.the.world" />
 				: