Skip to content

Avoiding ReDoS attacks used in user-facing, regex-related REST endpoints.#26483

Merged
dennisoelkers merged 5 commits into
masterfrom
fix/preventing_redos_attacks
Jul 1, 2026
Merged

Avoiding ReDoS attacks used in user-facing, regex-related REST endpoints.#26483
dennisoelkers merged 5 commits into
masterfrom
fix/preventing_redos_attacks

Conversation

@luk-kaminski

@luk-kaminski luk-kaminski commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Description

SafePattern class for avoiding ReDoS attacks used in user-facing, regex-related REST endpoints.

Motivation and Context

Protect against those types of attacks from malicious users.

How Has This Been Tested?

Manually and with new unit tests.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Refactoring (non-breaking change)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have requested a documentation update.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.

@luk-kaminski luk-kaminski changed the title SafePattern class for avoiding ReDoS attacks used in user-facing, reg… Avoiding ReDoS attacks used in user-facing, regex-related REST endpoints. Jun 25, 2026
@luk-kaminski luk-kaminski force-pushed the fix/preventing_redos_attacks branch from ae1f1e7 to 4a15938 Compare June 25, 2026 12:46
luk-kaminski and others added 2 commits June 26, 2026 10:45
…ex-related REST endpoints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@luk-kaminski luk-kaminski force-pushed the fix/preventing_redos_attacks branch from 479d0f2 to 4fad9f9 Compare June 26, 2026 08:45
@luk-kaminski luk-kaminski marked this pull request as ready for review June 26, 2026 08:53
@janheise janheise self-requested a review June 26, 2026 12:37
@janheise janheise self-requested a review June 29, 2026 13:43
Comment thread graylog2-server/src/main/java/org/graylog2/rest/resources/tools/SafePattern.java Outdated
@Override
public char charAt(final int index) {
if (clock.millis() > deadline) {
throw new TimeoutException();

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use java.util.concurrent.TimeoutException here?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

java.util.concurrent.TimeoutException is a checked exception
I cannot change the signature of charAt() method while overriding

safePattern.compile(regex);
response.isValid(true);
} catch (PatternSyntaxException e) {
} catch (IllegalArgumentException e) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about the PatternSyntaxException, where is it handled now?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PatternSyntaxException is a sub-class of IllegalArgumentException...

@dennisoelkers dennisoelkers left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good, tested before and after:

Before:

$ curl -XPOST -H 'X-Requested-by: ReDoS' -u admin:admin -d '{ "string": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!", "regex": "(.*a){20}$" }' -H 'Content-Type: application/json' http://localhost:8080/api/tools/regex_tester

[hangs]

After:

$ curl -XPOST -H 'X-Requested-by: ReDoS' -u admin:admin -d '{ "string": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!", "regex": "(.*a){20}$" }' -H 'Content-Type: application/json' http://localhost:8080/api/tools/regex_tester
{"type":"ApiError","message":"Regular expression matching timed out — the pattern may be susceptible to catastrophic backtracking"}%  

@dennisoelkers dennisoelkers merged commit 5a8de34 into master Jul 1, 2026
24 checks passed
@dennisoelkers dennisoelkers deleted the fix/preventing_redos_attacks branch July 1, 2026 07:56
dennisoelkers pushed a commit that referenced this pull request Jul 2, 2026
…nts. (#26483) (#26535)

* SafePattern class for avoiding ReDoS attacks used in user-facing, regex-related REST endpoints.



* Changelog added

* An attempt to replace System.currentTimeMillis() with Clock.

* Removing length limits for input and regexp

---------


(cherry picked from commit 5a8de34)

Co-authored-by: Łukasz Kamiński <lukasz.kaminski@graylog.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants