Regular expression should allowed input be limited?

[mspiegel]

Hello! I went back and read the regular expression section for the JSON schema standard. It turns out that a full ECMA 262 (aka Javascript) regular expression engine is not required. The specification says that implementations SHOULD follow ECMA 262 but not that it MUST use it. The specification also recommends that "schema authors SHOULD limit themselves to the following regular expression tokens..."

One possible feature to this library is to add validation to enforce that regular expressions are limited to the tokens that are recommended in the schema. This is one way to ensure compatibility between Java regular expressions and ECMA 262 regular expressions. The recommended tokens are:

• individual Unicode characters, as defined by the JSON specification [RFC7159];
• simple character classes ([abc]), range character classes ([a-z]);
• complemented character classes ([^abc], [^a-z]);
• simple quantifiers: "+" (one or more), "" (zero or more), "?" (zero or one), and their lazy versions ("+?", "?", "??");
• range quantifiers: "{x}" (exactly x occurrences), "{x,y}" (at least x, at most y, occurrences), {x,} (x occurrences or more), and their lazy versions;
• the beginning-of-input ("^") and end-of-input ("$") anchors;
• simple grouping ("(...)") and alternation ("|").

It would be a little tricky to implement the logic that only accepted the above tokens. Is it a good idea? What if someone really wants to use Java specific regular expressions? Should the library stop them?

[stevehu]

I think the json schema draft 4 is highly influenced by javascript language and it is very hard for other language to implement. I might be wrong but I think there is no big difference between Javascript regex and Java regex. And we can always address issues when they are raised. For most people, these are all edge cases and they don't case. You are absolute right that someone might want Java specific regex. I hope the future version of json schema will address these issues.

[mspiegel]

I agree. I guess the question is that if someone uses Java-specific regular expression tokens (not valid JavaScript regex), which they shouldn't use but not expressly forbidden, then is it worth detecting that case and reporting an error?

…

On Feb 8, 2017 4:49 PM, "Steve Hu" ***@***.***> wrote: I think the json schema draft 4 is highly influenced by javascript language and it is very hard for other language to implement. I might be wrong but I think there is no big difference between Javascript regex and Java regex. And we can always address issues when they are raised. For most people, these are all edge cases and they don't case. You are absolute right that someone might want Java specific regex. I hope the future version of json schema will address these issues. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#15 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAtnXf8XV8lzEPmd3YWe6breTBeY5xIks5rajhggaJpZM4L7U22> .

[mspiegel]

It could also be an optional flag. Enable something to require strict regular expressions. On Feb 8, 2017 5:20 PM, "Michael Spiegel" <michael.m.spiegel@gmail.com> wrote:

…

I agree. I guess the question is that if someone uses Java-specific regular expression tokens (not valid JavaScript regex), which they shouldn't use but not expressly forbidden, then is it worth detecting that case and reporting an error? On Feb 8, 2017 4:49 PM, "Steve Hu" ***@***.***> wrote: > I think the json schema draft 4 is highly influenced by javascript > language and it is very hard for other language to implement. I might be > wrong but I think there is no big difference between Javascript regex and > Java regex. And we can always address issues when they are raised. For most > people, these are all edge cases and they don't case. You are absolute > right that someone might want Java specific regex. I hope the future > version of json schema will address these issues. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <#15 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AAAtnXf8XV8lzEPmd3YWe6breTBeY5xIks5rajhggaJpZM4L7U22> > . >

[stevehu]

I like the option flag. Do you know how other schema validators work on regex? I never got a chance to dig these libraries myself. Thanks.

[eirnym]

draft 2019-09 also requires compliance as well as java.util.regex has implementation bugs such as {2,30} (yes, there's 2 to 30 of nothing, but never match any text)

[eirnym]

Some ECMA-262 libraries for Java:

https://github.com/jruby/joni
https://github.com/mozilla/rhino

UPDATE: it seems that rhino uses joni underneath

[stevehu]

@eirnym Thanks a lot for the recommendations. Joni looks good to me as it is active and has a minimum dependency on JCodings that is a green library. The only concern I have is that it is 1.5 times slower than the java.util.regex. Given all the incompatible regex edges cases are known and ignored by our users, I don't know if we should switch or not. I would like to hear from our users to make the final decision. If anybody has any opinions on this topic, please let's discuss here.

[eirnym]

Could you make it an option? The quality of schema is more important for us than speed. Now we have to check every regex twice and it's a bit frustrating

[stevehu]

Yes. That is definitely a good option. Would you like to submit a PR? Thanks.

[eirnym]

It's easy to implement the verification in PatternValidatorusing an additional option from SchemaValidatorsConfig, but there's no way to pass it to from the user. I leave it on your decision how to implement it.

Regex pattern creation and matching are easy enough to implement, so you can either replace it or add an option. I put below examples, how it works.

I've used the latest atm version of joni library, which is

        <dependency>
            <groupId>org.jruby.joni</groupId>
            <artifactId>joni</artifactId>
            <version>2.1.31</version>
        </dependency>

regex pattern creation:

byte[] patternBytes = pattern.getBytes();
org.joni.Regex regex = new Regex(patternBytes, 0, patternBytes.length, Option.NONE, UTF8Encoding.INSTANCE, Syntax.ECMAScript);

Check if text matches:

byte[] valueBytes = value.getBytes();
return compiledRegex.matcher(valueBytes).search(0, valueBytes.length, Option.NONE) >= 0;

[stevehu]

The user can control the SchemaValidatorsConfig using the builder. Take a look at this example https://github.com/networknt/light-rest-4j/blob/master/openapi-validator/src/main/java/com/networknt/openapi/RequestValidator.java#L122

[eirnym]

Thank you, so it's easy then. What option do you prefer by default? ECMA-262 or java.util.regex? This change will be only for pattern validation. Other regex validations will stay as they are.

[stevehu]

We still have several regex issues with java.util.regex. If all these issues can be resolved by ECMA-262, then I think we should use it by default. Let's try it out and make the decision later. What do you think?