Aspnetcore: Regex Timeout are too short, not consistent, and not configurable in RewriteMiddleware
Regex timeouts that are used across UrlRewrite, ApacheModRewrite, and code rules are not consistent. The are set at 1 second or 1 millisecond in different places. Secondly, 1 millisecond is too short for a regex expression; it should be 1 second as the timeout is mostly for making sure your server isn't locked. Also if the expression timeouts, it returns a 500 server error as the exception is unhandled. Thirdly, the timeout should be configurable in RewriteOptions.
Plan of action:
- Timeouts should be increased to 1 second across the board.
- For 2.1, we should make Regex timeouts configurable a
- The timeouts should be backported to 2.0 and 1.1
@Eilon @muratg this is a patch candidate. Workarounds are very difficult.
jkotalik
All 11 comments
Need to consult with @blowdart on a good timeout. I agree 1ms is waaaay too small.
Eilon
on 19 Dec 2017
1.1 milliseconds.
Merry Christmas 鉀勶笍
Oh ok, 1 second is fine as a default, as long as it's configurable.
blowdart
on 19 Dec 2017
@blowdart but in a patch, we might not make it configurable. Would 1sec be reasonable in the patch? (With a switch to restore the original bizarre 1ms timeout.)
Eilon
on 20 Dec 2017
The patch is a simple fix. However the redesign would require more work. When calling options.AddRedirect(), options.AddIISUrlRewrite, etc, we eagerly create the Regex object, which is too early as options would now store the regex timeout. Someone could do:
options.AddRedirect(...); // Creates a regex object with default timeout of 1 ms
options.RegexTimeout = TimeSpan.FromSeconds(1);
options.AddRewrite(...);
which would set the timeout of 1 ms instead of 1 second for the regex expression. We shouldn't have options apis that need to be ordered.
We could either create the regex objects on first request or use a different pattern to know when rules are done being added.
jkotalik
on 20 Dec 2017
Config would be better, but if we can't do that for a patch, then, ugh, ok fix it at 1 second.
blowdart
on 20 Dec 2017
@jkotalik yeah I don't think having a property on the options would be the right way to do it. It would have to be a parameter on each .AddXyz() call.
Eilon
on 20 Dec 2017
options.RegexTimeout = TimeSpan.FromSeconds(1); looks like a simple, piratical solution. Changing it to DefaultRegexTimeout might make it's usage a little more clear. The ordering restriction is not a hard thing to explain to users.
Passing in the timeout to every .Add API looks like overkill, you'll add a lot of overloads that very few people will use, and they'll have to specify it on every rule.
Tratcher
on 21 Dec 2017
Adding timeouts through each of the .AddXyz() calls would be bloated for sure. I guess we can add it to options and throw if someone does:
options.AddRule();
options.RegexTimeout = TimeSpan.FromSeconds(1); // throw
Or don't throw and make it work: have every call to .AddXyz() capture the "current" RegexTimeout and use it.
Eilon
on 27 Dec 2017
280 for an initial fix to dev. Will make PRs to 1.1.x and 2.0.x branches and then address fixes to 2.1.x.
jkotalik
on 3 Jan 2018
FYI, we ended up deciding no to patch this. But for 2.1 we can consider if we want some fancier behavior(s).
Eilon
on 13 Jan 2018
Related issues
groogiam
路
3Comments
snebjorn
路
3Comments
fayezmm
路
3Comments
ipinak
路
3Comments
aurokk
路
3Comments
Most helpful comment
Or don't throw and make it work: have every call to
.AddXyz()capture the "current" RegexTimeout and use it.