skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
August 18, 2022

GHSL-2022-024: Regular Expression Denial of Service (ReDoS) in the Azure SDK for Java.

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

The Azure SDK for Java up to version 1.5.0-beta2 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it validates tenant IDs. Specially crafted IDs may cause catastrophic backtracking, taking exponential time to complete.

Product

Azure SDK for Java

Tested Version

Details

Issue: Regular Expression Denial of Service (ReDoS) in ValidationUtil.java. (GHSL-2022-024)

The Azure SDK for Java provides the class ValidationUtil to perform validations on user-provided parameters. Its method validateTenantIdCharacterRange, used to validate tenant IDs, uses the following regular expression to do so:

private static final Pattern TENANT_IDENTIFIER_CHAR_PATTERN = Pattern.compile("^(?:[A-Z]|[0-9]|[a-z]|-|.)+$");

Note the nested repetition in (?:[A-Z]|[0-9]|[a-z]|-|.)+, specifically at the final dot (.) which also includes all the previous alternatives in the capturing group. The regex engine would need to exponentially backtrack [1] in order to distinguish which part of the expression (either the dot or one of the other alternatives) matches the input in case there is not a full match.

As an example, the following snippet shows how an application could be exploited using any string of characters (the length of which exponentially increases the time needed to complete the evaluation) that matches two alternatives of the expression, followed by a character that matches neither:

public class RedosAzureSdkPoc {
    public static void main(String[] args) {
        try {
            ValidationUtil.validateTenantIdCharacterRange("------------------------------\n",
                    new ClientLogger(RedosAzureSdkPoc.class.getName()));
        } catch (IllegalArgumentException e) {
        }
    }
}

Note that JDK 9 introduced important mitigations for this problem, so in order to reproduce the issue with the above example, the application using the Azure SDK must use JDK =< 8.

Impact

This issue may lead to denial of service of the application using the Azure SDK if user input reaches validateTenantIdCharacterRange.

Resources

[1] https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS [2] https://github.com/google/re2j

Credit

This issue was discovered and reported by the CodeQL team members @atorralba (Tony Torralba) and @joefarebrother (Joseph Farebrother).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-024 in any communication regarding this issue.