Artifact (software + dataset) for "The Impact of Regular Expression Denial of Service (ReDoS) in Practice: an Empirical Study at the Ecosystem Scale"
2018-11-04T00:00:00Z (GMT) by
<p># Ecosystem-scale regexp study</p> <p>Welcome to the FSE'18 artifact for the ESEC/FSE paper *"The Impact of Regular Expression Denial of Service (ReDoS) in Practice: an Empirical Study at the Ecosystem Scale"*, by J.C. Davis, C.A Coghlan, F. Servant, and D. Lee, all of Virginia Tech.</p> <p>This paper describes a study in which we:<br> - extracted regular expressions (regexes, regexps) from npm and pypi modules<br> - analyzed the regexes along several dimensions</p> <p>Our artifact consists of:<br> - Code to analyze a regex for super-linear performance (Table 1), degree of vulnerability (Table 2), semantic meaning (Table 3), and use of anti-patterns (Table 4).<br> - Unique regexes collected from npm and pypi modules. We are releasing these regexes raw (without analysis or source module(s)) due to security concerns.</p> <p>In addition, we wrote code to statically extract regexes from npm and pypi modules.<br> We released this code as part of our `vuln-regex-detector` software, available [here](https://github.com/davisjam/vuln-regex-detector).<br> Regex extraction was uninteresting from a scientific perspective so we do not elaborate on it in this artifact.</p> <p>In addition to this directory's `README.md`, each sub-tree comes with one or more READMEs describing the software and tests.</p> <p>## Installation</p> <p>### By hand</p> <p>To install, execute the script `./configure` on an Ubuntu 16.04 machine with root privileges.<br> This will obtain and install the various dependencies (OS packages, REDOS detectors, npm modules, and pypi modules).<br> It will also initialize submodules.</p> <p>The final line of this script is `echo "Configuration complete. I hope everything works!"`.<br> If you see this printed to the console, great!<br> Otherwise...alas.</p> <p>### Container</p> <p>To facilitate replication, we have published a [containerized version](https://hub.docker.com/r/jamiedavis/daviscoghlanservantlee-fse18-regexartifact/) of this project on hub.docker.com.<br> The container is based on an Ubuntu 16.04 image so it is fairly large.<br> <br> For example, you might run:</p> <p>```<br> docker pull jamiedavis/daviscoghlanservantlee-fse18-regexartifact<br> docker run -ti jamiedavis/daviscoghlanservantlee-fse18-regexartifact<br> > vim .env<br> # Set ECOSYSTEM_REGEXP_PROJECT_ROOT=/davis-fse18-artifact/EcosystemREDOS-FSE18<br> > . .env<br> > ./full-analysis/analyze-regexp.pl ./full-analysis/test/vuln-email.json<br> ```</p>