When parsing untrusted rulex expressions, rulex may crash, possibly enabling a Denial of Service attack. This happens when the expression contains a multi-byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result.
This is a security concern for you, if - your service parses untrusted rulex expressions (expressions provided by an untrusted user), and - your service becomes unavailable when the thread running rulex panics.
The crashes are fixed in version 0.4.3. Affected users are advised to update to this version.
You can use catch_unwind
to recover from panics.
If you have any questions or comments about this advisory: * Open an issue in rulex * Email me at ludwig.stecher@gmx.de
Credit for finding these bugs goes to