jpath regex timeout support added for a single regex expression, global umbrella for all regex calls, and support for allowing regex calls to get compiled if necessary

require users to set a global cancellation token themselves, to avoid a potential unmanaged memory leak, which cleans up the code a bunch and fixes the failing tests

fix tests so cached regex's don't cause one test to fail using prior tests timeout...

handle the global timeout of multitoken regex internally and test for it

Author: chadgpt-o1

Src/Directory.Build.props

@@ -22,5 +22,7 @@
     <SystemValueTuplePackageVersion>4.4.0</SystemValueTuplePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
+    <BogusPackageVersion>32.0.2</BogusPackageVersion>
+    <AsyncExPackageVersion>5.1.0</AsyncExPackageVersion>
   </PropertyGroup>
 </Project>

Src/Newtonsoft.Json.Tests/Linq/JsonPath/JPathExecuteTests.cs

@@ -31,6 +31,13 @@
 #endif
 using Newtonsoft.Json.Linq.JsonPath;
 using Newtonsoft.Json.Tests.Bson;
+#if HAVE_REGEX_TIMEOUTS
+using Bogus;
+using Nito.AsyncEx;
+using System.Text.RegularExpressions;
+using System.Threading.Tasks;
+using System.Threading;
+#endif
 #if DNXCORE50
 using Xunit;
 using Test = Xunit.FactAttribute;
@@ -44,7 +51,6 @@
 using Newtonsoft.Json.Utilities.LinqBridge;
 #else
 using System.Linq;
-
 #endif
 
 namespace Newtonsoft.Json.Tests.Linq.JsonPath
@@ -71,6 +77,75 @@ public void GreaterThanIssue1518()
             Assert.AreEqual(jObj, dd);
         }
 
+#if HAVE_REGEX_TIMEOUTS
+        [Test]
+        public void BacktrackingRegex_SingleMatch_TimeoutRespected()
+        {
+            var RegexBacktrackingPattern = "(?<a>(.*?))[|].*(?<b>(.*?))[|].*(?<c>(.*?))[|].*(?<d>[1-3])[|].*(?<e>(.*?))[|].*[|].*[|].*(?<f>(.*?))[|].*[|].*(?<g>(.*?))[|].*(?<h>(.*))";
+
+            var faker = new Faker();
+            var regexBacktrackingData = new JArray();
+
+            for (var i = 0; i < 1000; i++)
+            {
+                var value = $"{faker.Date.Past()}|1|{faker.Lorem.Words()}|3|{faker.Lorem.Sentences(3, ". ")}|||.\\{faker.Lorem.Word()}.cpp||{faker.Random.UShort()}|-1";
+                regexBacktrackingData.Add(new JObject(new JProperty("b", value)));
+            }
+
+            Xunit.Assert.Throws<RegexMatchTimeoutException>(() =>
+            {
+                var tokens = regexBacktrackingData.SelectTokens(
+                    $"[?(@.b =~ /{RegexBacktrackingPattern}/)]",
+                    errorWhenNoMatch: false,
+                    singleRegexMatchTimeout: TimeSpan.FromSeconds(.01)).ToArray();
+            });
+        }
+
+        [Test]
+        public void BacktrackingRegex_GlobalMatch_TimeoutRespected()
+        {
+            var faker = new Faker();
+            var regexBacktrackingData = new JArray();
+            for (var i = 0; i < 1000; i++)
+            {
+                var value = $"{faker.Date.Past()}|1|{faker.Lorem.Words()}|3|{faker.Lorem.Sentences(3, ". ")}|||.\\{faker.Lorem.Word()}.cpp||{faker.Random.UShort()}|-1";
+                regexBacktrackingData.Add(new JObject(new JProperty("b", value)));
+            }
+            var RegexBacktrackingPattern = "(?<i>(.*?))[|].*(?<b>(.*?))[|].*(?<c>(.*?))[|].*(?<d>[1-3])[|].*(?<e>(.*?))[|].*[|].*[|].*(?<f>(.*?))[|].*[|].*(?<g>(.*?))[|].*(?<h>(.*))";
+            var jpathExpression = $"[?(@.b =~ /{RegexBacktrackingPattern}/c)]";
+
+            var exceptionThrow = Xunit.Assert.ThrowsAny<Exception>(() =>
+            {
+                var tokens = regexBacktrackingData.SelectTokens(
+                    jpathExpression,
+                    errorWhenNoMatch: false,
+                    singleRegexMatchTimeout: TimeSpan.FromSeconds(2),
+                    globalRegexMatchTimeout: TimeSpan.FromSeconds(.5)).ToArray();
+            });
+            Assert.IsTrue(exceptionThrow is OperationCanceledException or RegexMatchTimeoutException);
+        }
+
+        [Test]
+        public async Task BacktrackingRegexCanBeVerySlowWithoutTimeouts()
+        {
+            var RegexBacktrackingPattern = "(?<j>(.*?))[|].*(?<b>(.*?))[|].*(?<c>(.*?))[|].*(?<d>[1-3])[|].*(?<e>(.*?))[|].*[|].*[|].*(?<f>(.*?))[|].*[|].*(?<g>(.*?))[|].*(?<h>(.*))";
+            var faker = new Faker();
+            var regexBacktrackingData = new JArray();
+
+            for (var i = 0; i < 10; i++)
+            {
+                var value = $"{faker.Date.Past()}|1|{faker.Lorem.Words()}|3|{faker.Lorem.Sentences(3, ". ")}|||.\\{faker.Lorem.Word()}.cpp||{faker.Random.UShort()}|-1";
+                regexBacktrackingData.Add(new JObject(new JProperty("b", value)));
+            }
+
+            var selectTokenTask = Task.Run(() => regexBacktrackingData.SelectTokens($"[?(@.b =~ /{RegexBacktrackingPattern}/)]").ToArray());
+            using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(.3));
+            using var ctts = new CancellationTokenTaskSource<bool>(cts.Token);
+            var finishedTask = await Task.WhenAny(selectTokenTask, ctts.Task);
+            Assert.AreEqual(finishedTask, ctts.Task);
+        }
+#endif
+
         [Test]
         public void GreaterThanWithIntegerParameterAndStringValue()
         {

Src/Newtonsoft.Json.Tests/Newtonsoft.Json.Tests.csproj

@@ -2,7 +2,7 @@
   <PropertyGroup>
     <TargetFrameworks Condition="'$(TestFrameworks)'==''">net46;net40;net35;net20;net5.0;netcoreapp3.1;netcoreapp2.1</TargetFrameworks>
     <TargetFrameworks Condition="'$(TestFrameworks)'!=''">$(TestFrameworks)</TargetFrameworks>
-    <LangVersion>8.0</LangVersion>
+    <LangVersion>9.0</LangVersion>
     <VersionPrefix>1.0</VersionPrefix>
     <Authors>James Newton-King</Authors>
     <Company>Newtonsoft</Company>
@@ -76,6 +76,7 @@
     <Reference Include="System.ComponentModel.DataAnnotations" />
     <Reference Include="System.Web.Extensions" />
     <Reference Include="System.Data.DataSetExtensions" />
+    <PackageReference Include="Bogus" Version="$(BogusPackageVersion)" />
   </ItemGroup>
   <PropertyGroup Condition="'$(TargetFramework)'=='net40'">
     <AssemblyTitle>Json.NET Tests .NET 4.0</AssemblyTitle>
@@ -121,11 +122,14 @@
     <PackageReference Include="xunit" Version="$(XunitPackageVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioPackageVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNETTestSdkPackageVersion)" />
+    <PackageReference Include="Bogus" Version="$(BogusPackageVersion)" />
+    <PackageReference Include="Nito.AsyncEx.Tasks" Version="$(AsyncExPackageVersion)" />
   </ItemGroup>
+
   <PropertyGroup Condition="'$(TargetFramework)'=='net5.0'">
     <AssemblyTitle>Json.NET Tests .NET Standard 2.0</AssemblyTitle>
     <ReferringTargetFrameworkForProjectReferences>.NETStandard,Version=v2.0</ReferringTargetFrameworkForProjectReferences>
-    <DefineConstants>NETSTANDARD2_0;DNXCORE50;PORTABLE;HAVE_BENCHMARKS;$(AdditionalConstants)</DefineConstants>
+    <DefineConstants>NETSTANDARD2_0;DNXCORE50;PORTABLE;HAVE_BENCHMARKS;HAVE_REGEX_TIMEOUTS;$(AdditionalConstants)</DefineConstants>
   </PropertyGroup>
 
   <ItemGroup Condition="'$(TargetFramework)'=='netcoreapp3.1'">
@@ -142,11 +146,13 @@
     <PackageReference Include="xunit" Version="$(XunitPackageVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioPackageVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNETTestSdkPackageVersion)" />
+    <PackageReference Include="Bogus" Version="$(BogusPackageVersion)" />
+    <PackageReference Include="Nito.AsyncEx.Tasks" Version="$(AsyncExPackageVersion)" />
   </ItemGroup>
   <PropertyGroup Condition="'$(TargetFramework)'=='netcoreapp3.1'">
     <AssemblyTitle>Json.NET Tests .NET Standard 1.3</AssemblyTitle>
     <ReferringTargetFrameworkForProjectReferences>.NETStandard,Version=v1.3</ReferringTargetFrameworkForProjectReferences>
-    <DefineConstants>NETSTANDARD1_3;DNXCORE50;PORTABLE;HAVE_BENCHMARKS;$(AdditionalConstants)</DefineConstants>
+    <DefineConstants>NETSTANDARD1_3;DNXCORE50;PORTABLE;HAVE_BENCHMARKS;HAVE_REGEX_TIMEOUTS;$(AdditionalConstants)</DefineConstants>
   </PropertyGroup>
 
   <ItemGroup Condition="'$(TargetFramework)'=='netcoreapp2.1'">
@@ -162,10 +168,13 @@
     <PackageReference Include="xunit" Version="$(XunitPackageVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioPackageVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNETTestSdkPackageVersion)" />
+    <PackageReference Include="Bogus" Version="$(BogusPackageVersion)" />
+    <PackageReference Include="Nito.AsyncEx.Tasks" Version="$(AsyncExPackageVersion)" />
   </ItemGroup>
+
   <PropertyGroup Condition="'$(TargetFramework)'=='netcoreapp2.1'">
     <AssemblyTitle>Json.NET Tests .NET Standard 1.0</AssemblyTitle>
     <ReferringTargetFrameworkForProjectReferences>.NETStandard,Version=v1.0</ReferringTargetFrameworkForProjectReferences>
-    <DefineConstants>NETSTANDARD1_0;DNXCORE50;PORTABLE;$(AdditionalConstants)</DefineConstants>
+    <DefineConstants>NETSTANDARD1_0;DNXCORE50;PORTABLE;HAVE_REGEX_TIMEOUTS;$(AdditionalConstants)</DefineConstants>
   </PropertyGroup>
 </Project>

Src/Newtonsoft.Json/Linq/JToken.cs

@@ -44,6 +44,7 @@
 using Newtonsoft.Json.Utilities.LinqBridge;
 #else
 using System.Linq;
+using System.Threading;
 #endif
 
 namespace Newtonsoft.Json.Linq
@@ -485,7 +486,7 @@ private static bool ValidateToken(JToken o, JTokenType[] validTypes, bool nullab
             return (Array.IndexOf(validTypes, o.Type) != -1) || (nullable && (o.Type == JTokenType.Null || o.Type == JTokenType.Undefined));
         }
 
-#region Cast from operators
+        #region Cast from operators
         /// <summary>
         /// Performs an explicit conversion from <see cref="Newtonsoft.Json.Linq.JToken"/> to <see cref="System.Boolean"/>.
         /// </summary>
@@ -1497,9 +1498,9 @@ private static BigInteger ToBigInteger(JToken value)
             return ConvertUtils.ToBigInteger(v.Value);
         }
 #endif
-#endregion
+        #endregion
 
-#region Cast to operators
+        #region Cast to operators
         /// <summary>
         /// Performs an implicit conversion from <see cref="Boolean"/> to <see cref="JToken"/>.
         /// </summary>
@@ -1863,7 +1864,7 @@ public static implicit operator JToken(Guid? value)
         {
             return new JValue(value);
         }
-#endregion
+        #endregion
 
         IEnumerator IEnumerable.GetEnumerator()
         {
@@ -2336,6 +2337,35 @@ int IJsonLineInfo.LinePosition
             return token;
         }
 
+#if HAVE_REGEX_TIMEOUTS
+        /// <summary>
+        /// Selects a <see cref="JToken"/> using a JSONPath expression. Selects the token that matches the object path.
+        /// </summary>
+        /// <param name="path">
+        /// A <see cref="String"/> that contains a JSONPath expression.
+        /// </param>
+        /// <param name="errorWhenNoMatch">A flag to indicate whether an error should be thrown if no tokens are found when evaluating part of the expression.</param>
+        /// <param name="singleMatchTimeout">the time after which a single call to regex.ismatch must complete, default is forever</param>
+        /// <returns>A <see cref="JToken"/>.</returns>
+        public JToken? SelectToken(string path, bool errorWhenNoMatch, TimeSpan? singleMatchTimeout = default)
+        {
+            JPath p = new JPath(path, singleMatchTimeout);
+
+            JToken? token = null;
+            foreach (JToken t in p.Evaluate(this, this, errorWhenNoMatch))
+            {
+                if (token != null)
+                {
+                    throw new JsonException("Path returned multiple tokens.");
+                }
+
+                token = t;
+            }
+
+            return token;
+        }
+#endif
+
         /// <summary>
         /// Selects a collection of elements using a JSONPath expression.
         /// </summary>
@@ -2358,10 +2388,51 @@ public IEnumerable<JToken> SelectTokens(string path)
         /// <returns>An <see cref="IEnumerable{T}"/> of <see cref="JToken"/> that contains the selected elements.</returns>
         public IEnumerable<JToken> SelectTokens(string path, bool errorWhenNoMatch)
         {
-            JPath p = new JPath(path);
+            var p = new JPath(path);
             return p.Evaluate(this, this, errorWhenNoMatch);
         }
 
+#if HAVE_REGEX_TIMEOUTS
+        /// <summary>
+        /// Selects a collection of elements using a JSONPath expression.
+        /// </summary>
+        /// <param name="path">
+        /// A <see cref="String"/> that contains a JSONPath expression.
+        /// </param>
+        /// <param name="errorWhenNoMatch">A flag to indicate whether an error should be thrown if no tokens are found when evaluating part of the expression.</param>
+        /// <param name="singleRegexMatchTimeout">
+        /// for every token that matches a jpath, the time a regex is permitted to run 
+        /// against that token before timeout
+        /// </param>
+        /// <param name="globalRegexMatchTimeout">
+        /// the time this method should wait for the given jpath regex to match all tokens.
+        /// worst case expected execution time roughly globalRegexMatchTimeout + Min(singleRegexMatchTimeout, globalRegexMatchTimeout)
+        /// </param>
+        /// <exception cref="System.Text.RegularExpressions.RegexMatchTimeoutException">if single call timeout exceeded</exception>"
+        /// <returns>An <see cref="IEnumerable{T}"/> of <see cref="JToken"/> that contains the selected elements.</returns>
+        public IEnumerable<JToken> SelectTokens(string path,
+            bool errorWhenNoMatch,
+            TimeSpan? singleRegexMatchTimeout = default,
+            TimeSpan? globalRegexMatchTimeout = default)
+        {
+            var singleTimeout = singleRegexMatchTimeout ?? Timeout.InfiniteTimeSpan;
+            var globalTimeout = globalRegexMatchTimeout ?? Timeout.InfiniteTimeSpan;
+            if (globalTimeout != Timeout.InfiniteTimeSpan && globalTimeout < singleTimeout)
+            {
+                singleTimeout = globalTimeout;
+            }
+            
+            using var cts = new CancellationTokenSource(globalTimeout);
+            var p = new JPath(path, singleTimeout);
+            var results = p.Evaluate(this, this, errorWhenNoMatch);
+            foreach (var result in results)
+            {
+                cts.Token.ThrowIfCancellationRequested();
+                yield return result;
+            }
+        }
+#endif
+
 #if HAVE_DYNAMIC
         /// <summary>
         /// Returns the <see cref="DynamicMetaObject"/> responsible for binding operations performed on this object.

Src/Newtonsoft.Json/Linq/JsonPath/JPath.cs

@@ -27,6 +27,8 @@
 using System.Collections.Generic;
 using System.Globalization;
 using System.Text;
+using System.Text.RegularExpressions;
+using System.Threading;
 using Newtonsoft.Json.Utilities;
 
 namespace Newtonsoft.Json.Linq.JsonPath
@@ -37,14 +39,16 @@ internal class JPath
 
         private readonly string _expression;
         public List<PathFilter> Filters { get; }
+        public readonly TimeSpan? RegexSingleMatchTimeout = default;
 
         private int _currentIndex;
 
-        public JPath(string expression)
+        public JPath(string expression, TimeSpan? regexSingleMatchTimeout = default)
         {
             ValidationUtils.ArgumentNotNull(expression, nameof(expression));
             _expression = expression;
             Filters = new List<PathFilter>();
+            RegexSingleMatchTimeout = regexSingleMatchTimeout;
 
             ParseMain();
         }
@@ -509,7 +513,8 @@ private QueryExpression ParseExpression()
                     right = ParseSide();
                 }
 
-                BooleanQueryExpression booleanExpression = new BooleanQueryExpression(op, left, right);
+
+                var booleanExpression = new BooleanQueryExpression(op, left, right, RegexSingleMatchTimeout);
 
                 if (_expression[_currentIndex] == ')')
                 {

Src/Newtonsoft.Json/Linq/JsonPath/QueryExpression.cs

@@ -4,6 +4,7 @@
 using System.IO;
 using System.Text.RegularExpressions;
 using System.Diagnostics;
+using System.Threading;
 #if !HAVE_LINQ
 using Newtonsoft.Json.Utilities.LinqBridge;
 #else
@@ -83,11 +84,17 @@ internal class BooleanQueryExpression : QueryExpression
     {
         public readonly object Left;
         public readonly object? Right;
+        public readonly TimeSpan? SingleMatchTimeout;
 
-        public BooleanQueryExpression(QueryOperator @operator, object left, object? right) : base(@operator)
+        public BooleanQueryExpression(QueryOperator @operator,
+            object left, 
+            object? right, 
+            TimeSpan? regexSingleMatchTimeout = default)
+            : base(@operator)
         {
             Left = left;
             Right = right;
+            SingleMatchTimeout = regexSingleMatchTimeout;
         }
 
         private IEnumerable<JToken> GetResult(JToken root, JToken t, object? o)
@@ -143,7 +150,7 @@ private bool MatchTokens(JToken leftResult, JToken rightResult)
                 switch (Operator)
                 {
                     case QueryOperator.RegexEquals:
-                        if (RegexEquals(leftValue, rightValue))
+                        if (RegexEquals(leftValue, rightValue, SingleMatchTimeout))
                         {
                             return true;
                         }
@@ -215,7 +222,9 @@ private bool MatchTokens(JToken leftResult, JToken rightResult)
             return false;
         }
 
-        private static bool RegexEquals(JValue input, JValue pattern)
+        private static bool RegexEquals(JValue input, 
+            JValue pattern,
+            TimeSpan? regexMatchTimeout = default)
         {
             if (input.Type != JTokenType.String || pattern.Type != JTokenType.String)
             {
@@ -228,7 +237,12 @@ private static bool RegexEquals(JValue input, JValue pattern)
             string patternText = regexText.Substring(1, patternOptionDelimiterIndex - 1);
             string optionsText = regexText.Substring(patternOptionDelimiterIndex + 1);
 
+#if HAVE_REGEX_TIMEOUTS
+            var timeout = regexMatchTimeout ?? Regex.InfiniteMatchTimeout;
+            return Regex.IsMatch((string)input.Value!, patternText, MiscellaneousUtils.GetRegexOptions(optionsText), timeout);
+#else
             return Regex.IsMatch((string)input.Value!, patternText, MiscellaneousUtils.GetRegexOptions(optionsText));
+#endif
         }
 
         internal static bool EqualsWithStringCoercion(JValue value, JValue queryValue)