Feature #17837


Add support for Regexp timeouts

Added by sam.saffron (Sam Saffron) 5 months ago. Updated 3 months ago.

Target version:



ReDoS are a very common security issue. At Discourse we have seen a few through the years.

In a nutshell there are 100s of ways this can happen in production apps, the key is for an attacker (or possibly innocent person) to supply either a problematic Regexp or a bad string to test it with.

/A(B|C+)+D/ =~ "A" + "C" * 100 + "X"

Having a problem Regexp somewhere in a large app is a universal constant, it will happen as long as you are using Regexps.

Currently the only feasible way of supplying a consistent safeguard is by using Thread.raise and managing all execution. This kind of pattern requires usage of a third party implementation. There are possibly issues with jRuby and Truffle when taking approaches like this.

Prior art

.NET provides a MatchTimeout property per:

Java has nothing built in as far as I can tell:

Node has nothing built in as far as I can tell:

Golang and Rust uses RE2 which is not vulnerable to DoS by limiting features (available in Ruby RE2 gem)

irb(main):003:0> r ='A(B|C+)+D')
=> #<RE2::Regexp /A(B|C+)+D/>
irb(main):004:0> r.match("A" + "C" * 100 + "X")
=> nil


Implement Regexp.timeout which allow us to specify a global timeout for all Regexp operations in Ruby.

Per Regexp would require massive application changes, almost all web apps would do just fine with a 1 second Regexp timeout.

If timeout is set to nil everything would work as it does today, when set to second a "monitor" thread would track running regexps and time them out according to the global value.


I recommend against a "per Regexp" API as this decision is at the application level. You want to apply it to all regular expressions in all the gems you are consuming.

I recommend against a move to RE2 at the moment as way too much would break

See also:

Related issues

Related to Ruby master - Feature #17849: Fix Timeout.timeout so that it can be used in threaded Web serversOpenmatz (Yukihiro Matsumoto)Actions
Related to Ruby master - Bug #18144: Timeout not working while regular expression match is runningOpenActions

Also available in: Atom PDF