Lack of data validation - Source Code
Need
Prevent server crashes caused by the use of dangerous regular expressions
Context
- Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
- Usage of custom-made text processing functionality
Description
Non compliant code
defmodule InsecureApp do
def process(text) do
regex = ~r/([a-z]+)*$/
Regex.match?(regex, text)
end
end
This insecure code snippet in Elixir uses a complex and potentially dangerous regular expression to parse a string. In certain circumstances, an attacker might send a specially crafted string that, when evaluated by this regular expression, would cause a server crash due to the high computational requirement, also known as a ReDoS (Regular Expression Denial of Service) attack.
Steps
- Refactor the regular expression to prevent potential ReDoS attacks
- Avoid using quantifiers on groups or backreferences
- Test the regular expression with different string inputs to ensure it works as expected
Compliant code
defmodule SecureApp do
def process(text) do
regex = ~r/[a-z]+$/
Regex.match?(regex, text)
end
end
This secure code snippet in Elixir presents a fixed version of the regular expression. The regular expression has been simplified and avoids using quantifiers on groups, which reduces the risk of ReDoS attacks.