Lack of data validation

Lack of data validation - Source Code

Need

Prevent server crashes caused by the use of dangerous regular expressions

Context

• Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications

• Usage of custom-made text processing functionality

Description

1. Non compliant code

defmodule InsecureApp do
  def process(text) do
    regex = ~r/([a-z]+)*$/
    Regex.match?(regex, text)
  end
end

This insecure code snippet in Elixir uses a complex and potentially dangerous regular expression to parse a string. In certain circumstances, an attacker might send a specially crafted string that, when evaluated by this regular expression, would cause a server crash due to the high computational requirement, also known as a ReDoS (Regular Expression Denial of Service) attack.

2. Steps

• Refactor the regular expression to prevent potential ReDoS attacks

• Avoid using quantifiers on groups or backreferences

• Test the regular expression with different string inputs to ensure it works as expected

3. Secure code example

defmodule SecureApp do
  def process(text) do
    regex = ~r/[a-z]+$/
    Regex.match?(regex, text)
  end
end

This secure code snippet in Elixir presents a fixed version of the regular expression. The regular expression has been simplified and avoids using quantifiers on groups, which reduces the risk of ReDoS attacks.

References

• 187. Lack of data validation - Source Code

On this page