This project provides tools to scan your projects for vulnerable regexes. These are regexes that could lead to catastrophic backtracking.
VULN_REGEX_DETECTOR_ROOT
to wherever you cloned the repo.configure
script to install dependencies and build the detectors.bin
. See their README for details.If you don't want to install and run the detectors locally, you can use the vuln-regex-detector npm module.
This module uses the src/cache/client/npm
code to query a server hosted at Virginia Tech. The server is running the src/cache/server
code.
See the corresponding README for more details.
Scanning a project has three stages:
In this stage regexes are statically extracted from the project's source code. See here for more details.
In this stage the regexes are tested for vulnerability. See here for more details.
Testing regexes for vulnerability is expensive. As a result, the default configuration of this repo is to query a server to see if the regex has previously been tested for safety. See here for more details.
If this is a problem you can turn it off or direct queries to your own server by editing src/cache/.config.json
in your clone.
The source for the server is included in src/cache
.
In this stage the results of the vulnerability tests are validated.
The vulnerability detectors are not always correct. Happily, each emits evil input it believes will trigger catastrophic backtracking. We have vulnerability validators to check their recommendation in the language(s) in which you will use the regexes.
See here for more details.
The scripts in bin/
implement this pipeline.
In brief, let's review how the analysis works:
Here are the shortcomings of the analysis.
new Regex(patternAsAVariable)
) we do not know about it.The configuration code supports Ubuntu directly (tested on Ubuntu 16), for other distros/OSes a container can be used (see Docker below). Everything else should work on any Linux. Open an issue if you want other distros/OSes and we can discuss.
A Dockerfile
is provided to make the code easier to configure on non-Ubuntu systems. The image can be built and used as follows:
$ docker build -t vuln-regex-detector .
$ docker run --rm -v /tmp/query:/query vuln-regex-detector bin/check-regex.pl /query/unsafe-1.json
where /tmp/query/unsafe-1.json
contains the pattern to be checked.
Contributions welcome!
If you want to enhance the scan, here are the instructions.