我们在生产环境中遇到了100%的CPU利用率问题,线程转储显示我们的"黑名单"实现卡在以下步骤。
[11/14/13 10:12:42:745 CST] 0000000d ThreadMonitor W WSVR0605W: Thread "Thread-002" (0000003b) has been active for 604063 milliseconds and may be hung. There is/are 1 thread(s) in total in the server that may be hung.
at java.lang.Character.isLetterOrDigit(Character.java:3516)
at java.util.regex.Pattern$Bound.check(Pattern.java:4820)
at java.util.regex.Pattern$Bound.match(Pattern.java:4832)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3366)
at java.util.regex.Pattern$Curly.match0(Pattern.java:3782)
at java.util.regex.Pattern$Curly.match(Pattern.java:3744)
at java.util.regex.Matcher.match(Matcher.java:1127)
at java.util.regex.Matcher.matches(Matcher.java:502)
问题在于,这种情况并非总是发生,这意味着它是数据相关的,并且我们在黑名单实现中有以下正则表达式列表。
如果有人能够告诉我以下哪个正则表达式可能会导致100%的CPU占用(我猜测是由于回溯),我将不胜感激。
# zero/null bytes
.*\x00.*
# javascript
.*\bjavascript\b.* &&! ^[\w.,;/*+= -]*\b(:?application/x-javascript|text/javascript)\b[\w.,;/*+= -]*$
# vbscript
.*\bvbscript\b.*
# <script or </script>
.*<\s*/?\s*script\b.*|.*\bscript\s*>.*
# <img or </img>
.*<\s*/?\s*img\b.*|.*\bimg\s*>.*
# <div or </div>
.*<\s*/?\s*div\b.*|.*\bdiv\s*>.*
# <html or </html>
.*<\s*/?\s*html\b.*|.*\bhtml\s*>.*
# <body or </body>
.*<\s*/?\s*body\b.*|.*\bbody\s*>.*
# <link or </link>
.*<\s*/?\s*link\b.*|.*\blink\s*>.* &&! ^<\?xml .*$
# <meta or </meta>
.*<\s*/?\s*meta\b.*|.*\bmeta\s*>.*
# <base or </base>
.*<\s*/?\s*base\b.*|.*\bbase\s*>.*
# <span or </span>
.*<\s*/?\s*span\b.*|.*\bspan\s*>.*
# <input or </input>
.*<\s*/?\s*input\b.*|.*\binput\s*>.*
# <style or </style>
.*<\s*/?\s*style\b.*|.*\bstyle\s*>.*
# <table or </table>
.*<\s*/?\s*table\b.*|.*\btable\s*>.*
# <embed or </embed>
.*<\s*/?\s*embed\b.*|.*\bembed\s*>.*
# <frame or </frame>
.*<\s*/?\s*frame\b.*|.*\bframe\s*>.*
# <iframe or </iframe>
.*<\s*/?\s*iframe\b.*|.*\biframe\s*>.*
# <object or </object>
.*<\s*/?\s*object\b.*|.*\bobject\s*>.*
# < onload= >
.*<.+\bonload\s*=.+>.*
# < onerror= >
.*<.+\bonerror\s*=.+>.*
# < onmouseover= >
.*<.+\bonmouseover\s*=.+>.*
# < src= >
.*<.+\bsrc\s*=.+>.*
# < href= >
.*<.+\bhref\s*=.+>.*
# < style= >
.*<.+\bstyle\s*=.+>.*
# < content= >
.*<.+\bcontent\s*=.+>.*
# document.
.*\bdocument\s*\..+
# element.
.*\belement\s*\..+
# url(
.*\burl\s*\(.+
# eval(
.*\beval\s*\(.+
# alert(
.*\balert\s*\(.+
# /* */
.*/\*.*\*/.*
# HTTP response splitting
.*\bHTTP/\d+\.\d+.+
# Path traversal
#.*\.\.[/\\].*
.*\.\.[/\\]\.\.[/\\].*
# SQL injection (probably not very useful)
# from HttpServletBase.java
.*select\s+\S*\s*from\s+\S+(?:\s+where\s+.+)?.*
.*insert\s+\S*\s*into\s+\S+(?:\s+values\s+.+)?.*
.*update\s+\S*\s*set\s+\S+(?:\s+where\s+.+)?.*
.*delete\s+\S*\s*from\s+\S+(?:\s+where\s+.+)?.*