Skip to content

Catch Catastrophic Backtracking ReDoS Bugs with Bento Checks

Original Post: Bento check: Catch catastrophic backtracking ReDoS bugs

The content discusses ReDoS (regular expression denial-of-service) bugs, which occur due to inefficient regular expressions that cause excessive backtracking, potentially leading to system vulnerabilities and denial-of-service attacks. The text highlights a high severity vulnerability (CVE-2020-8492) found in Python versions 2 and 3, stemming from poorly crafted regular expressions. To address this, Bento version 0.9 includes a new check to identify such vulnerabilities in other projects. Users can install the tool with $ pip3 install bento-cli && bento init.

The text further explains types of inefficient regular expressions, such as nested quantifiers and mutually inclusive alternation, which can cause catastrophic backtracking. One real-world example is a major outage at Cloudflare caused by such a bug in their web application firewall (WAF).

Bento’s initial tests flagged many open-source Python projects with such issues, including the Python urllib module, leading to the identification and reporting of several bugs in widely-used Python projects like python-poetry, grpc, and colorama.

The text encourages users to run Bento to check their own projects for similar bugs and provides links to additional resources for more in-depth information on preventing ReDoS attacks and examples of catastrophic backtracking in regular expressions.

Go here to read the Original Post

Leave a Reply

Your email address will not be published. Required fields are marked *