Asymmetric Denial of Service - ReDoS

Need

Prevent server crashes by avoiding expensive regular expression operations

Context

Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
Usage of Regex module for regular expressions

Description

Non compliant code

defmodule MyApp.Service do
  def check_email_format(email) do
    Regex.match?(~r/([a-z0-9]+)*@([a-z0-9]+)*(.com)*/, email)
  end
end

This code is vulnerable because it uses a regular expression that can be exploited in a ReDoS attack. An attacker can provide an email string that causes excessive backtracking, leading to an excessive consumption of CPU resources and potentially causing the server to crash.

Steps

Avoid using quantifiers in your regular expressions that could lead to excessive backtracking.
Use a simpler, non-capturing regular expression to validate the email format.

Compliant code

defmodule MyApp.Service do
  def check_email_format(email) do
    Regex.match?(~r/[a-z0-9]+@[a-z0-9]+\.com/, email)
  end
end

This code is safe because it uses a non-capturing regular expression to validate the email format, thus avoiding the risk of excessive backtracking and ReDoS attacks.

References

211.Asymmetric denial of service - ReDoS

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​