Lack of data validation - Source Code - Elixir

Need

Prevent server crashes caused by the use of dangerous regular expressions

Context

1. Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
2. Usage of custom-made text processing functionality

Description

Insecure Code Example

defmodule InsecureApp do
  def process(text) do
    regex = ~r/([a-z]+)*$/
    Regex.match?(regex, text)
  end
end

This insecure code snippet in Elixir uses a complex and potentially dangerous regular expression to parse a string. In certain circumstances, an attacker might send a specially crafted string that, when evaluated by this regular expression, would cause a server crash due to the high computational requirement, also known as a ReDoS (Regular Expression Denial of Service) attack.

Steps

1. Refactor the regular expression to prevent potential ReDoS attacks
2. Avoid using quantifiers on groups or backreferences
3. Test the regular expression with different string inputs to ensure it works as expected

Secure Code Example

defmodule SecureApp do
  def process(text) do
    regex = ~r/[a-z]+$/
    Regex.match?(regex, text)
  end
end

This secure code snippet in Elixir presents a fixed version of the regular expression. The regular expression has been simplified and avoids using quantifiers on groups, which reduces the risk of ReDoS attacks.

References

Last updated

2023/09/18