Original Post: Finding Python ReDoS bugs at scale using Dlint and r2c
The article discusses Regular Expression Denial-of-Service (ReDoS) attacks, which exploit inefficient regular expressions to cause significant delays and potential denial-of-service. Inefficient expressions often include nested quantifiers, like (a+)+, or mutually inclusive alternation patterns, such as ([a-z]|a)+, leading to catastrophic backtracking when an unmatchable pattern follows.
To detect such vulnerabilities, the article highlights automation through Python static analysis tooling. Tools like Dlint, a static analysis tool, have been enhanced to identify inefficient regular expressions in Python’s re module. Dlint’s new rule, DUO138, scans for patterns prone to catastrophic backtracking.
The article also presents the r2c distributed analysis platform. This platform enables large-scale static analysis across multiple code repositories. Conversion of Dlint into an r2c "analyzer" facilitates this.
Key findings from running Dlint include the discovery of ReDoS vulnerabilities in popular projects like Python’s urllib module, resulting in reports such as CVE-2020-8492. Other projects with identified ReDoS bugs include python-poetry, grpc, colorama, bottle, and requests-kerberos.
For detailed detection and further investigation of such vulnerabilities, the article recommends tools like Semgrep and platforms like r2c’s distributed analysis platform and the Dlint project.
Go here to read the Original Post