Security question: What protections against regex injection attacks does json-schema-validator have?

[kbsizer]

Started to use json-schema-validator to meet a customer requirement. A little bit of a learning curve, but -- so far -- the results are delightful. Really impressed. The only hiccup is a security concern about overly-complex and/or malicious regular expressions. Are there any built-in constraints or safe-guards on regex size, complexity, or processing time?

Example of the type of thing I want to avoid or flag instead of hanging/crashing:
{ "type" : "string", "pattern" : "^([\\w\\-\\.\\&\\,]+[\\s]*)+" }

In general: How to avoid or limit stuff like this: https://www.regular-expressions.info/catastrophic.html

Any help greatly appreciated!

[gregsdennis]

The validation spec, section 10, lists several security concerns, including regex.

Basically, it lists the concern and requires that implementations handle it themselves. The idea is that the specification's role is to make tooling maintainers aware of the danger and allow them to manage it as required by best practices in their language/ecosystem.

[jdesrosiers]

@kbsizer In case it wasn't clear enough from Greg's answer... This repo is for the JSON Schema specification, not any particular implementation. You'll want to find the repo for the specific library you're using and ask them how/if they handle this case.

[kbsizer]

Thank you both! And apologies: If I'd thought half a second, that obviously had to be the case. Duh.

[gregsdennis]

No worries. It's not something that's obvious to a lot of people.