runtime: Add a static property Regex.DefaultRegexMatchTimeout to configure default timeouts globally

System.Text.RegularExpressions.Regex has a .MatchTimeout property, but there has never been a good way to configure this globally. It’s always been a very roundabout way (which AFAIK has been removed in .NET Core). Previously, you’d do this:

AppDomain.CurrentDomain.SetData("REGEX_DEFAULT_MATCH_TIMEOUT", TimeSpan.FromSeconds(20));

Or in ASP.NET:

<system.web>
  <httpRuntime defaultRegexMatchTimeout="00:00:20" />
</system.web>

Otherwise, we’re depending on every developer to set their match timeouts inline, for each regex. The problems with that are:

  • It’s either a maintenance burden, or we create our own global config anyway to use everywhere.
  • It defaults to failure if the developer forgets (creating a security and stability issue, since regexes can be a CPU-killing attack vector)

If we had a static property, like this:

namespace System.Text.RegularExpressions
{
     public partial class Regex
     {
         // Set a default value, to be used if not overridden.
         public static TimeSpan DefaultMatchTimeout = Timeout.InfiniteTimeSpan;
     }
}

…we could do this gracefully in code. Thoughts?

cc @terrajobst @blowdart @davidfowl

[edited by @Priya91 for syntax]

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 6
  • Comments: 21 (20 by maintainers)

Most upvoted comments

Thanks! Please loop me in, when we manage to create an issue to add a regression test for this scenario.

+1
karelz on Sep 12, 2017

FYI: The API review discussion was recorded - see https://youtu.be/VppFZYG-9cA?t=789 (14 min duration)

+1
karelz on Aug 29, 2017

Hmm, bad skimming on my side, sorry 😃

+1
karelz on Jan 14, 2017
Read more comments on GitHub
← runtime: ActivityId missing in a newly added HttpTelemetry Stop events.
runtime: Add a way to capture runtime fatal errors →