Takashi Yoneuchi
Takashi Yoneuchi
  • @lmt_swallow

Takashi is CTO at Flatt Security Inc. He is currently working on implementing WebAssembly-based Policy as Code platforms towards reproducible and productive security/compliance operations. He’s an expert in application security and proposed new attack vectors in his career, including regexp-based ones (“blind regexp injection“).

Eliminating ReDoS with Ruby 3.2

Just evaluating inefficient regular expressions may break your service - one with an exponential time complexity may cause a denial-of-service (ReDoS), depending on engines.

Ruby had adopted a native algorithm like some of the major languages, leaving a risk of ReDoS. However, Ruby 3.2 introduced drastic updates to the Regexp engine internals to reduce the risk. Ruby developers no longer need to be afraid of it for basic usage.

To confirm the effectiveness of the language-level changes in addressing ReDoS, this talk will provide a case study by highlighting real ReDoS vulnerabilities in GitLab. Each was resolved in app-level approaches, but this talk will show how the vulnerabilities relate to the old engine's characteristics and how the new engine contributes to eliminating it at scale.

The talk will also present recommended coding practices for Ruby users to avoid ReDoS vulnerabilities, considering attack vectors uncovered by the updates and the appropriate usage of timeouts.

Presentation Material

Recorded video