Need

Prevent server crashes caused by the use of dangerous regular expressions

Context

• Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
• Usage of custom-made text processing functionality

Description

Non compliant code

        defmodule InsecureApp do
  def process(text) do
    regex = ~r/([a-z]+)*$/
    Regex.match?(regex, text)
  end
end
        
        

This insecure code snippet in Elixir uses a complex and potentially dangerous regular expression to parse a string. In certain circumstances, an attacker might send a specially crafted string that, when evaluated by this regular expression, would cause a server crash due to the high computational requirement, also known as a ReDoS (Regular Expression Denial of Service) attack.

Steps

• Refactor the regular expression to prevent potential ReDoS attacks
• Avoid using quantifiers on groups or backreferences
• Test the regular expression with different string inputs to ensure it works as expected

Compliant code

        defmodule SecureApp do
  def process(text) do
    regex = ~r/[a-z]+$/
    Regex.match?(regex, text)
  end
end
        
        

This secure code snippet in Elixir presents a fixed version of the regular expression. The regular expression has been simplified and avoids using quantifiers on groups, which reduces the risk of ReDoS attacks.

References

• 187. Lack of data validation - Source Code