Hacker News new | ask | show | jobs
by xyzzy123 300 days ago
It's great to have a safe options - and it would have been great if the default had been safe.

I think many people are annoyed with ReDos as a bug class. It seems like mostly noise in the CVE trackers, library churn and badge collecting for "researchers". It'd be less of a problem if people stuck to filing CVEs against libraries that might remotely see untrusted input rather than scrambling to collect pointless "scalps" from every tool under the sun that accepts a configuration regex - build tools, very commonly :(

Perhaps you can stop this madness... :)
2 comments
bawolff 300 days ago
Even in cases where malicious input could be hit, this bug class is stupid on the client side where the attacker can only attack themselves.
link
xyzzy123 300 days ago
Stored... ReDoS, reflected... ReDoS(??)... [it pained me to type those] (╯°□°)╯︵ ┻━┻
link
roggenbuck 300 days ago
> and it would have been great if the default had been safe.

I totally agree here. Safety can and should be from the language itself.

link