Potential Polynomial regex used (says CodeQL)

[joshgoebel]

Due to #13 (and other version dependency issues) we've been forced to vendor a "fake" version 1.0 that fixes that issue within our project, but CodeQL isn't very happy about the regex being used.

This is exactly the same code present in this repo in: https://github.com/rack/rackup/blob/main/lib/rackup/handler.rb#L107-L108

---

I don't see the issue since [A-Z]+ and [^A-Z] have no overlap... does anyone else see it or is this a false positive?

[joshgoebel]

Ruby 3.2.something:

# 100mb of repeated "A"s
> bad_input="/super/man/#{"A"*100000000}/lives"; nil
=> nil
[14] pry(main)> Benchmark.measure { bad_input.match(/[A-Z]+[^A-Z]/) }.real
=> 0.8092678760003764

Seems plenty fast to me...

[joshgoebel]

Oh CodeQL did say the problem was much improved with Ruby 3.2, let me try 3.1...

>  bad_input="/super/man/#{"A"*100000000}/lives"; nil
=> nil
irb(main):007> RUBY_VERSION
=> "3.1.2"
irb(main):008>  Benchmark.measure { bad_input.match(/[A-Z]+[^A-Z]/); }.real
=> 0.4945120000047609
irb(main):009> bad_input.match(/[A-Z]+[^A-Z]/)[0].size
=> 100000001

Still seems fine.

[ioquatix]

I also don't believe this input is ever "user controlled". However, I'd be fine for a PR to fix this if it doesn't significantly increase complexity.

[ioquatix]

@tenderlove you are an expert on these issues - is there anything we need to do here?

[tenderlove]

Since it's not user controlled, I'm not worried about it. If someone sends a PR to clean up the regex though I'm also happy to merge it

[ioquatix]

I agree, if anyone wants to make a PR, it would be welcome. Otherwise, I'll close this issue for now.