Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular expression injection #247

Open
odaysec opened this issue Feb 26, 2025 · 3 comments
Open

Regular expression injection #247

odaysec opened this issue Feb 26, 2025 · 3 comments

Comments

@odaysec
Copy link

odaysec commented Feb 26, 2025

logdna-agent/index.js

Line 279 in 2313b15

config.exclude_regex = new RegExp(config.exclude_regex)

Constructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as lodash's _.escapeRegExp to escape meta-characters that have special meaning.

POC

The following shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:

var express = require('express');
var app = express();

app.get('/findKey', function(req, res) {
  var key = req.param("key"), input = req.param("input");

  // BAD: Unsanitized user input is used to construct a regular expression
  var re = new RegExp("\\b" + key + "=(.*)\n");
});

Instead, the request parameter should be sanitized first, for example using the function _.escapeRegExp from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.

var express = require('express');
var _ = require('lodash');
var app = express();

app.get('/findKey', function(req, res) {
  var key = req.param("key"), input = req.param("input");

  // GOOD: User input is sanitized before constructing the regex
  var safeKey = _.escapeRegExp(key);
  var re = new RegExp("\\b" + safeKey + "=(.*)\n");
});

References

OWASP: Regular expression Denial of Service - ReDoS
Wikipedia: ReDoS
npm: lodash
Common Weakness Enumeration: CWE-730
Common Weakness Enumeration: CWE-400
@odaysec odaysec mentioned this issue Feb 26, 2025
Open
@c-nixon
Copy link

c-nixon commented Feb 26, 2025

Thanks for the report, this repository is no longer maintained.

@lamcodeofpwnosec
Copy link

hi @c-nixon can you merged this pull-request as for fix this issue #248

@c-nixon
Copy link

c-nixon commented Feb 26, 2025

This agent has been deprecated and we don't maintain this repository anymore nor provide builds. See https://github.com/logdna/logdna-agent-v2 for the currently maintained codebase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c-nixon @lamcodeofpwnosec @odaysec