Go Redos Vulnerable Regex
Description
This detector identifies ReDoS (Regular Expression Denial of Service) vulnerabilities in Go applications using the regexp2 library. It flags regex patterns that are vulnerable to catastrophic backtracking when processing user-controlled input without timeout protection, potentially causing application hangs or denial of service.
Detection Strategy
• The application imports the github.com/dlclark/regexp2 library for regular expression processing
• Code uses regexp2.Compile() or regexp2.MustCompile() to create a regex pattern that contains dangerous constructs susceptible to catastrophic backtracking
• The compiled regex is used in matching operations (like FindString, Match, etc.) with user-controlled input data
• No match timeout is configured on the regex object to limit execution time
• The user input flows to the regex matching function without proper validation or sanitization
Vulnerable code example
package main
import (
"net/http"
"github.com/dlclark/regexp2"
)
func vulnerableRegexp(w http.ResponseWriter, r *http.Request) {...✅ Secure code example
package main
import (
"net/http"
"time"
"github.com/dlclark/regexp2"
)
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.