logdna-agent icon indicating copy to clipboard operation
logdna-agent copied to clipboard
verified publisher icon logdna

Regular expression injection

Open odaysec opened this issue 10 months ago • 3 comments

https://github.com/logdna/logdna-agent/blob/2313b15a8223905bbf69860ecd61eda79a866168/index.js#L279-L279

Constructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as lodash's _.escapeRegExp to escape meta-characters that have special meaning.

POC

The following shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:

var express = require('express');
var app = express();

app.get('/findKey', function(req, res) {
  var key = req.param("key"), input = req.param("input");

  // BAD: Unsanitized user input is used to construct a regular expression
  var re = new RegExp("\\b" + key + "=(.*)\n");
});

Instead, the request parameter should be sanitized first, for example using the function _.escapeRegExp from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.

var express = require('express');
var _ = require('lodash');
var app = express();

app.get('/findKey', function(req, res) {
  var key = req.param("key"), input = req.param("input");

  // GOOD: User input is sanitized before constructing the regex
  var safeKey = _.escapeRegExp(key);
  var re = new RegExp("\\b" + safeKey + "=(.*)\n");
});

References

OWASP: Regular expression Denial of Service - ReDoS Wikipedia: ReDoS npm: lodash Common Weakness Enumeration: CWE-730 Common Weakness Enumeration: CWE-400

odaysec avatar Feb 26 '25 11:02 odaysec

Thanks for the report, this repository is no longer maintained.

c-nixon avatar Feb 26 '25 13:02 c-nixon

hi @c-nixon can you merged this pull-request as for fix this issue https://github.com/logdna/logdna-agent/pull/248

kreeksec avatar Feb 26 '25 13:02 kreeksec

This agent has been deprecated and we don't maintain this repository anymore nor provide builds. See https://github.com/logdna/logdna-agent-v2 for the currently maintained codebase.

c-nixon avatar Feb 26 '25 13:02 c-nixon