Security Notes: RegEx

Reading time ~1 minute

Denial-of-Service Regex Vulnerability

One of the most common, and yet hard-to-spot vulnerabilities I encounter relate to regular expressions. Either poorly written or poorly implemented.

Warning Signs

  1. You have multiple capture groups
  2. Global matching
  3. Expression is used with un-checked user input

Mitigation / Resolution

  1. RegEx is hard
    1. For example, here is how the really smart folks at OWASP recommend handling IP validation: ^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
    2. That’s longer than a tweet, for a 4-byte IP Address!!!
  2. Make sure user input isn’t unduly long, when I know input data is reliably less than 40 chars, I’ll make sure I prevent anything over 64 - otherwise, an attacker could overwhelm my system with a flood of 4Kb requests.
  3. This affects almost every language and platform .NET/Node/Python/PERL/Java

Reference

Regular Expression DoS and Node.js

Functional Promises in JavaScript Crash Course

# Functional Promises in JavaScript Crash Course> See the companion project to this article: [`escape-from-callback-mountain`](https://gi...… Continue reading