Asymmetric Denial of Service - ReDoS - Elixir

Asymmetric Denial of Service - ReDoS - Elixir

Need

Prevent server crashes by avoiding expensive regular expression operations

Context

  • Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
  • Usage of Regex module for regular expressions

Description

Non compliant code

        defmodule MyApp.Service do
  def check_email_format(email) do
    Regex.match?(~r/([a-z0-9]+)*@([a-z0-9]+)*(.com)*/, email)
  end
end
        
        

This code is vulnerable because it uses a regular expression that can be exploited in a ReDoS attack. An attacker can provide an email string that causes excessive backtracking, leading to an excessive consumption of CPU resources and potentially causing the server to crash.

Steps

  • Avoid using quantifiers in your regular expressions that could lead to excessive backtracking.
  • Use a simpler, non-capturing regular expression to validate the email format.

Compliant code

        defmodule MyApp.Service do
  def check_email_format(email) do
    Regex.match?(~r/[a-z0-9]+@[a-z0-9]+\.com/, email)
  end
end
        
        

This code is safe because it uses a non-capturing regular expression to validate the email format, thus avoiding the risk of excessive backtracking and ReDoS attacks.

References