TRE Python 绑定演示:正则表达式引擎的 ReDoS 防护能力TRE Python binding — ReDoS robustness demo
Simon Willison 利用 Claude Code 构建了一个 TRE 正则表达式引擎的 Python 绑定,并展示了其对 ReDoS(正则表达式拒绝服务)攻击的强大防御能力。TRE 是 Ville Laurikari 开发的轻量级、安全的正则库,相比传统引擎如 PCRE 更安全。该实验证明即使在复杂模式匹配下,TRE 也能保持恒定时间执行,有效防止恶意输入导致的性能崩溃。这一成果可能推动更安全的正则实践普及。
Simon Willison
Research TRE Python binding — ReDoS robustness demo — Demonstrating robust regex performance, this project offers a minimal Python ctypes binding to the TRE regex library, highlighting TRE’s immunity to regular expression denial-of-service (ReDoS) attacks that cripple Python's built-in `re` module. Key benchmarks show that TRE processes even notorious "evil" patterns on gigantic inputs (10 million characters) much faster than `re` on tiny ones, and scales linearly with input size instead of exponentially.
If it's good enough for antirez to add to Redis I figured Ville Laurikari's TRE regular expression engine was worth exploring in a little more detail.
I had Claude Code build an experimental Python binding (it used ctypes) and try some malicious regular expression attacks against the library. TRE handles those much better than Python's standard library implementation, thanks mainly to the lack of support for backtracking.
需要完整排版与评论请前往来源站点阅读。