search

davisjam / vuln-regex-detector

Detect vulnerable regexes in your project. REDOS, catastrophic backtracking.
MIT License
320 stars 29 forks source link

Most patterns that include constant strings are treated as 'INVALID' #66

Open immo-huneke-zuhlke opened 5 years ago

immo-huneke-zuhlke commented 5 years ago

For example: "^\d+": SAFE "^\d+:": INVALID "^\d+z": INVALID

"(a+)+$": VULNERABLE "(b+)+$": INVALID "x": INVALID

immo-huneke-zuhlke commented 5 years ago

It looks as if a change was recently made to the server code and only previously evaluated patterns are returned correctly now. Everything else is treated as INVALID.

davisjam commented 5 years ago

That's a bit surprising because I don't believe I deployed the recent pushes to the server. But I will take a look. Thanks!

This might instead be due to certificate + the local cache, depending on how you're using the system. Are you using the vuln-regex-detector npm module?

immo-huneke-zuhlke commented 5 years ago

Answer to your earlier question (it took me a while to understand what you're driving at):

Yes, we are using the npm module. Here is an extract of the program:

const cacheConfig = { type: vulnRegexDetector.cacheTypes.persistent }; const config = { cache: cacheConfig, };

process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0; // Server certificate has expired!

No idea whether that means we are using the "local cache" or not. Since I last tried it nearly a week ago, my MacBook Pro has been restarted several times. Now I find that ALL patterns are returned as INVALID. What can I do to reset or disable the cache?

immo-huneke-zuhlke commented 5 years ago

I'm running this under MacOS X and it seemed to work fine to start with. But I didn't run the configure command - and now that I have tried (in order to fix the hypothetical caching problem) I discover that it cannot be run other than under Ubuntu Linux!

Is it actually necessary to run the configure command if I'm only trying to use the client?

NB I found the default cache configuration in vuln-regex-detector-client.js and set it to CACHE_TYPE:none (both in the vuln-regex-detector project, which is what VULN_REGEX_DETECTOR_ROOT points to, and in the node_modules folder of the project I'm trying to scan. It still reports INVALID for every pattern, and in fact the cache folder is empty.

davisjam commented 5 years ago

Is it actually necessary to run the configure command if I'm only trying to use the client?

Nope. You just need to point the module at an appropriate endpoint (e.g. the one I have deployed at Virginia Tech, or one you manage internally if you're uncomfortable sending regexes to outsiders).

CACHE_TYPE:none

OK.

It still reports INVALID for every pattern

It should not be doing this. My deadlines wrap up today so I will be able to triage shortly.