Page MenuHomePhabricator
Create Task
Maniphest T256661

Implement ReDoS detection
Closed, ResolvedPublic
Actions

Description

Basically, this would mean recognizing preg_* and similar functions as EXEC. What taint type, I don't know. I don't think there's a proper way to sanitize user input in regexps, so probably a new type that cannot be cleared. Low priority because this will likely have a ton of false positives.

Details

SubjectRepoBranchLines +/-
Implement ReDoS detectionmediawiki/tools/phan/SecurityCheckPluginmaster+119 -21
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Jun 29 2020, 5:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 29 2020, 5:23 PM
Daimona triaged this task as Low priority.Jun 29 2020, 5:23 PM
sbassett subscribed.Jun 29 2020, 6:22 PM

I don't think there's a proper way to sanitize user input in regexps, so probably a new type that cannot be cleared.

From what I know, there are filtering and allow-lists which can be somewhat effective, but naive solutions like that quickly fail to accommodate for the entire regex grammar. Such solutions (and more elaborate ones) have been discussed for a few different projects from time-to-time (e.g. T214378, T176312).

Daimona added a comment.Jul 1 2020, 8:50 AM
In T256661#6265248, @sbassett wrote:

I don't think there's a proper way to sanitize user input in regexps, so probably a new type that cannot be cleared.

Such solutions (and more elaborate ones) have been discussed for a few different projects from time-to-time (e.g. T214378, T176312).

Yeah, I also remember some releated discussions at T187669 and T240884.

From what I know, there are filtering and allow-lists which can be somewhat effective, but naive solutions like that quickly fail to accommodate for the entire regex grammar.

Exactly. I'm not even sure where the regex grammar sits in the Chomsky hierarchy, as it also depends on the regex flavour. At any rate, it's certainly impossible to sanitize a regexp without tokenizing it, but I don't think many people do that...

So, this should have the MISC taint type, which is the same type used for eval, require, and similar constructs for which you usually cannot sanitize the input.

sbassett added a subscriber: Bawolff.Jul 1 2020, 6:56 PM
In T256661#6270514, @Daimona wrote:

Yeah, I also remember some releated discussions at T187669 and T240884.

In addition to some of the external research mentioned on these tasks, I feel like @Bawolff sent me this other paper on potential static analysis for ReDoS prevention, which I, um, haven't quite digested just yet.

Daimona moved this task from Backlog to Plugin itself on the phan-taint-check-plugin board.Jul 9 2020, 4:00 PM
gerritbot added a comment.Dec 2 2020, 1:44 PM

Change 644800 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/tools/phan/SecurityCheckPlugin@master] Implement ReDoS detection

https://gerrit.wikimedia.org/r/644800

gerritbot added a project: Patch-For-Review.Dec 2 2020, 1:44 PM
Daimona claimed this task.Dec 2 2020, 1:44 PM
gerritbot added a comment.Dec 11 2020, 11:31 PM

Change 644800 merged by jenkins-bot:
[mediawiki/tools/phan/SecurityCheckPlugin@master] Implement ReDoS detection

https://gerrit.wikimedia.org/r/644800

Daimona mentioned this in rMTPSb49dedfc6541: Implement ReDoS detection.Dec 11 2020, 11:52 PM
Maintenance_bot removed a project: Patch-For-Review.Dec 12 2020, 12:11 AM
Daimona closed this task as Resolved.Dec 12 2020, 12:56 AM

This might have a lot of false positives (haven't tested on mw-core), but if this is the case, I guess we can just disable it like we do for the SerializeInjection issue.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits