search

beltoforion / muparserx

A C++ Library for Parsing Expressions with Strings, Complex Numbers, Vectors, Matrices and more.
http://beltoforion.de/en/muparserx
BSD 2-Clause "Simplified" License
136 stars 60 forks source link

Tolerance to malicious expressions? #51

Closed nasailja closed 9 years ago

nasailja commented 9 years ago

How tolerant is muparserx to input from potentially malicious users, has this been investigated in any way?

For example someone could try to use up all memory by creating large matrices in expressions but this seems to require that EnableAutoCreateVar is called first. Or what about putting e.g. zeros(1000000000000) into an expression expecting a scalar, would that still create a too large matrix?

Has anyone investigated how vulnerable muparserx is to expressions designed to cause e.g. buffer overruns and/or arbitrary code execution?

beltoforion commented 9 years ago

This hasn't been investigated. muparserx will throw std::bad_alloc in case of memory shortages. Its the responsibility of the client code to make sure this does not happen or deal gracefully with it. I can't introduce arbitrary limits to the size of matrices and C++ does not provide a standard complient way to investigate the existing memory size. muparserx is neither aimed at being used in flight control systems nor medical equipment for everything else standard C++ should suffice.

martinrotter commented 9 years ago

@beltoforion I cannot agree more. Of course, muparserx can be used in quite important projects and can lead to some serious bugs, but in this kind of software I would not even expect that somebody could perform some kind of security audit just like that. muparserx is not True Crypt.

On the other hand, once serious vulnerabilities are discovered, they should be fixed.

nasailja commented 9 years ago

Trying to allocate a matrix larger than available memory is certainly a nuisance but not nearly as serious as arbitrary code execution via the expression parser. Was such a possibility considered when developing the parser or is its security/insecurity a byproduct of the implementation?

beltoforion commented 9 years ago

muparserx can not execute arbitrary code unless you add a function that will execute arbitrary code. muparserx is also not a scripting engine since it is lacking commands for flow control.

nasailja commented 9 years ago

muparserx wasn't designed to execute arbitrary code yes but that doesn't mean it's not possible, unless proper steps have been taken to prevent those kinds of attacks. I think here's an example of a vulnerability report for a different parser: http://www.cvedetails.com/cve/CVE-2008-3196/

I'll assume that people haven't looked into muparserx from this perspective. Thanks.

beltoforion commented 9 years ago

I really don't see the potential for such an attack. The syntax checks are very strict. The input must be a mathematical expression everything else is rejected immediately. identifiers must conform to predefined character sets and those sets dont allow characters that might be used for malicious purposes. I can however give no guarantees, i can only guarantee to close every hole that is reported.