Python Regex Dos With Untrusted Input
Description
Detects potential Regular Expression Denial of Service (ReDoS) vulnerabilities in Python code. This occurs when untrusted user input is used directly in regular expression operations (re.match, re.search, re.findall) without proper validation, which could lead to catastrophic backtracking and denial of service.
Detection Strategy
• Identifies calls to dangerous regular expression functions: re.match, re.search, re.findall
• Checks if the regex pattern argument comes from an untrusted source (like user input, file content, or network data)
• Reports a vulnerability when a dangerous regex function is called with a pattern derived from untrusted input
Vulnerable code example
from flask import request
import re
def vulnerable_regex():
# Vulnerable: Uses regex pattern susceptible to catastrophic backtracking
pattern = "^(([a-z])+.)+[A-Z]([a-z])+$"
# Each of these regex operations can be exploited with crafted input...✅ Secure code example
from flask import request
import re
def safe_regex():
# Safe: Simple pattern without nested quantifiers to prevent backtracking
pattern = "^[a-z]+[A-Z][a-z]+$"
# Add timeout parameter to prevent long-running regex operations...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.