Fix Regexp::TimeoutError SQL injection bypass by marksmith · Pull Request #258 · AikidoSec/firewall-ruby

marksmith · 2026-03-23T12:16:18Z

Since Ruby 3.2, if Regexp.timeout is set, regular expression matching is aborted after Regexp.timeout by raising Regexp::TimeoutError. Since Rails 8.0, Regexp.timeout is set to 1 second by default. This change treats a Regexp::TimeoutError during SQL injection detection as an attack.

Summary by Aikido

Security Issues: 0	Quality Issues: 0	Resolved Issues: 0

⚡ Enhancements

Added regexp_with_timeout helper and applied configurable internal regex timeouts

🐛 Bugfixes

Treated Regexp::TimeoutError during SQL injection detection as attack

🔧 Refactors

Replaced string RUBY_VERSION comparisons with Gem::Version based checks

^{More info}

for detecting numbers and comma-separated list of numbers.

codecov · 2026-03-23T16:08:22Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

lib/aikido/zen/scanners/sql_injection_scanner.rb

Around numbers and in comma-separated lists of numbers.

lib/aikido/zen/scanners/sql_injection_scanner.rb

On Ruby < 3.2.

With default timeout from redos_regex_timeout configuration option.

Return attack on Regexp::TimeoutError

8e9174d

marksmith requested review from bitterpanda63 and timokoessler March 23, 2026 12:16

marksmith added 2 commits March 23, 2026 17:04

Add test

48b1200

Optimize regular expression

6d1b2a6

for detecting numbers and comma-separated list of numbers.

aikido-pr-checks bot reviewed Mar 23, 2026

View reviewed changes

lib/aikido/zen/scanners/sql_injection_scanner.rb Outdated Show resolved Hide resolved

marksmith added 3 commits March 23, 2026 17:37

Add tests

4c607d4

Restrict whitespace to spaces

27aba70

Add tests for invalid whitespace

1e13f60

Around numbers and in comma-separated lists of numbers.

timokoessler reviewed Mar 23, 2026

View reviewed changes

lib/aikido/zen/scanners/sql_injection_scanner.rb Show resolved Hide resolved

marksmith force-pushed the return-attack-on-regexp-timeout-error branch from caa4afc to 1e13f60 Compare March 23, 2026 16:46

marksmith added 3 commits March 25, 2026 10:34

Skip test for regular expression timeout attack

a34d55b

On Ruby < 3.2.

Use Gem::Version to compare RUBY_VERSION

79cf4d7

Add internal regular expression timeouts

a6dfd12

With default timeout from redos_regex_timeout configuration option.

timokoessler approved these changes Mar 25, 2026

View reviewed changes

kapyteinaikido approved these changes Mar 26, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix Regexp::TimeoutError SQL injection bypass#258

Fix Regexp::TimeoutError SQL injection bypass#258
marksmith wants to merge 9 commits intomainfrom
return-attack-on-regexp-timeout-error

marksmith commented Mar 23, 2026 •

edited by aikido-pr-checks bot

Loading

Uh oh!

codecov bot commented Mar 23, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

marksmith commented Mar 23, 2026 • edited by aikido-pr-checks bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by Aikido

Uh oh!

codecov bot commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

marksmith commented Mar 23, 2026 •

edited by aikido-pr-checks bot

Loading

codecov bot commented Mar 23, 2026 •

edited

Loading