logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Asymmetric Denial of Service - ReDoS - Elixir

Need

Prevent server crashes by avoiding expensive regular expression operations

Context

  1. Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
  2. Usage of Regex module for regular expressions

Description

Insecure Code Example

defmodule MyApp.Service do
  def check_email_format(email) do
    Regex.match?(~r/([a-z0-9]+)*@([a-z0-9]+)*(.com)*/, email)
  end
end

This code is vulnerable because it uses a regular expression that can be exploited in a ReDoS attack. An attacker can provide an email string that causes excessive backtracking, leading to an excessive consumption of CPU resources and potentially causing the server to crash.

Steps

  1. Avoid using quantifiers in your regular expressions that could lead to excessive backtracking.
  2. Use a simpler, non-capturing regular expression to validate the email format.

Secure Code Example

defmodule MyApp.Service do
  def check_email_format(email) do
    Regex.match?(~r/[a-z0-9]+@[a-z0-9]+\.com/, email)
  end
end

This code is safe because it uses a non-capturing regular expression to validate the email format, thus avoiding the risk of excessive backtracking and ReDoS attacks.

References

  • 211 - Asymmetric Denial of Service - ReDoS

    • Last updated

    2023/09/18