GHSL-2021-121: ReDoS (Regular Expression Denial of Service) in StreamAlert

Coordinated Disclosure Timeline

• 2021-08-31: Created an issue asking for contact details.
• 2021-11-30: Deadline expired.
• 2021-12-06: Created a pull request to fix the bug.

Summary

StreamAlert contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

StreamAlert

Tested Version

v3.4.1

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.

Vulnerability

The vulnerable regular expression is here.

To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:

• Run the code below with python3:

import re

_URL_REGEX = re.compile(
    r'^(?:http(s)?://)?[\w.-]+(?:\.[\w\.-]+)+[\w\-\._~:/?#[\]@!\$&\'\(\)\*\+,;=.]+$'
)

_URL_REGEX.match("https://a.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-}");

Impact

This issue may lead to a denial of service.

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-121 in any communication regarding this issue.