regex checked by hyperscan directly with error messages

backend/binsrc/nfregex.cpp

@@ -50,6 +50,21 @@ void config_updater (){
 }
 
 int main(int argc, char *argv[]){
+
+	char * test_regex = getenv("FIREGEX_TEST_REGEX");
+	if (test_regex != nullptr){
+		cerr << "[info] [main] Testing regex: " << test_regex << endl;
+		try{
+			RegexRules::compile_regex(test_regex);
+			cerr << "[info] [main] Test passed" << endl;
+			return 0;
+		}catch(const std::exception& e){
+			cerr << "[error] [updater] Test failed" << endl;
+			cout << e.what() << flush;
+			return 1;
+		}
+	}
+
 	int n_of_threads = 1;
    	char * n_threads_str = getenv("NTHREADS");
    	if (n_threads_str != nullptr) n_of_threads = ::atoi(n_threads_str);

backend/binsrc/regex/regex_rules.cpp

@@ -59,6 +59,26 @@ class RegexRules{
 	public:
 		regex_ruleset output_ruleset, input_ruleset;
 		
+	static void compile_regex(char* regex){
+		hs_database_t* db = nullptr;
+		hs_compile_error_t *compile_err = nullptr;
+		if (
+			hs_compile(
+				regex,
+				HS_FLAG_SINGLEMATCH | HS_FLAG_ALLOWEMPTY,
+				HS_MODE_BLOCK,
+				nullptr, &db, &compile_err
+			) != HS_SUCCESS
+		) {
+			string err = string(compile_err->message);
+			hs_free_compile_error(compile_err);
+			throw runtime_error(err);
+		}else{
+			hs_free_database(db);
+		}
+		
+	}
+
 	private:
 		static inline u_int16_t glob_seq = 0;
 		u_int16_t version;
@@ -77,6 +97,8 @@ class RegexRules{
 			}
 		}
 
+
+
 		void fill_ruleset(vector<pair<string, decoded_regex>> & decoded, regex_ruleset & ruleset){
 			size_t n_of_regex = decoded.size();
 			if (n_of_regex == 0){

backend/modules/nfregex/firegex.py

@@ -1,7 +1,6 @@
 from modules.nfregex.nftables import FiregexTables
 from utils import run_func
 from modules.nfregex.models import Service, Regex
-import re
 import os
 import asyncio
 import traceback
@@ -10,6 +9,20 @@ from fastapi import HTTPException
 
 nft = FiregexTables()
 
+async def test_regex_validity(regex: str) -> bool:
+    proxy_binary_path = os.path.join(os.path.dirname(os.path.abspath(__file__)),"../cppregex")
+    process = await asyncio.create_subprocess_exec(
+        proxy_binary_path,
+        stdout=asyncio.subprocess.PIPE,
+        stdin=asyncio.subprocess.DEVNULL,
+        env={"FIREGEX_TEST_REGEX": regex},
+    )
+    await process.wait()
+    if process.returncode != 0:
+        message = (await process.stdout.read()).decode()
+        return False, message
+    return True, "ok"
+
 class RegexFilter:
     def __init__(
         self, regex,
@@ -44,7 +57,6 @@ class RegexFilter:
             self.regex = self.regex.encode()
         if not isinstance(self.regex, bytes):
             raise Exception("Invalid Regex Paramether")
-        re.compile(self.regex) # raise re.error if it's invalid!
         case_sensitive = "1" if self.is_case_sensitive else "0"
         if self.input_mode:
             yield case_sensitive + "C" + self.regex.hex()

backend/routers/nfregex.py

@@ -1,5 +1,4 @@
 from base64 import b64decode
-import re
 import secrets
 import sqlite3
 from fastapi import APIRouter, Response, HTTPException
@@ -9,6 +8,7 @@ from modules.nfregex.firewall import STATUS, FirewallManager
 from utils.sqlite import SQLite
 from utils import ip_parse, refactor_name, socketio_emit, PortType
 from utils.models import ResetRequest, StatusMessageModel
+from modules.nfregex.firegex import test_regex_validity
 
 class ServiceModel(BaseModel):
     status: str
@@ -299,10 +299,9 @@ async def regex_disable(regex_id: int):
 @app.post('/regexes', response_model=StatusMessageModel)
 async def add_new_regex(form: RegexAddForm):
     """Add a new regex"""
-    try:
-        re.compile(b64decode(form.regex))
-    except Exception:
-        raise HTTPException(status_code=400, detail="Invalid regex")
+    regex_correct, message = await test_regex_validity(b64decode(form.regex))
+    if not regex_correct:
+        raise HTTPException(status_code=400, detail=f"Invalid regex: {message}")
     try:
         db.query("INSERT INTO regexes (service_id, regex, mode, is_case_sensitive, active ) VALUES (?, ?, ?, ?, ?);", 
                 form.service_id, form.regex, form.mode, form.is_case_sensitive, True if form.active is None else form.active )