Asymmetric Denial of Service - ReDoS
Need
Prevent server crashes by avoiding expensive regular expression operations
Context
- Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
- Usage of Regex module for regular expressions
Description
Non compliant code
defmodule MyApp.Service do
def check_email_format(email) do
Regex.match?(~r/([a-z0-9]+)*@([a-z0-9]+)*(.com)*/, email)
end
end
This code is vulnerable because it uses a regular expression that can be exploited in a ReDoS attack. An attacker can provide an email string that causes excessive backtracking, leading to an excessive consumption of CPU resources and potentially causing the server to crash.
Steps
- Avoid using quantifiers in your regular expressions that could lead to excessive backtracking.
- Use a simpler, non-capturing regular expression to validate the email format.
Compliant code
defmodule MyApp.Service do
def check_email_format(email) do
Regex.match?(~r/[a-z0-9]+@[a-z0-9]+\.com/, email)
end
end
This code is safe because it uses a non-capturing regular expression to validate the email format, thus avoiding the risk of excessive backtracking and ReDoS attacks.