You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/04/07 21:01:37 UTC

[tomcat] branch 8.5.x updated: Add note on RewriteValve and potential ReDoS

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new 32499f6  Add note on RewriteValve and potential ReDoS
32499f6 is described below

commit 32499f6482a5ee6759ff61351eed6eb22b8d4522
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Sun Apr 7 22:00:30 2019 +0100

    Add note on RewriteValve and potential ReDoS
    
    Patch provided by salgattas
---
 java/org/apache/catalina/valves/rewrite/RewriteValve.java | 14 ++++++++++++++
 webapps/docs/changelog.xml                                |  5 +++++
 webapps/docs/rewrite.xml                                  | 10 ++++++++++
 webapps/docs/security-howto.xml                           |  4 ++++
 4 files changed, 33 insertions(+)

diff --git a/java/org/apache/catalina/valves/rewrite/RewriteValve.java b/java/org/apache/catalina/valves/rewrite/RewriteValve.java
index 6be2fe4..220aa60 100644
--- a/java/org/apache/catalina/valves/rewrite/RewriteValve.java
+++ b/java/org/apache/catalina/valves/rewrite/RewriteValve.java
@@ -53,6 +53,20 @@ import org.apache.tomcat.util.buf.UDecoder;
 import org.apache.tomcat.util.buf.UriUtil;
 import org.apache.tomcat.util.http.RequestUtil;
 
+/**
+ * Note: Extra caution should be used when adding a Rewrite Rule. When
+ * specifying a regex to match for in a Rewrite Rule, certain regex could allow
+ * an attacker to DoS your server, as Java's regex parsing is vulnerable to
+ * "catastrophic backtracking" (also known as "Regular expression Denial of
+ * Service", or ReDoS). There are some open source tools to help detect
+ * vulnerable regex, though in general it is a hard problem. A good defence is
+ * to use a regex debugger on your desired regex, and read more on the subject
+ * of catastrophic backtracking.
+ *
+ * @see <a href=
+ *      "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">OWASP
+ *      ReDoS</a>
+ */
 public class RewriteValve extends ValveBase {
 
     /**
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b087a89..817501f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -144,6 +144,11 @@
         information on the supported directives and their attributes. Patch
         provided by nightwatchcyber. (markt)
       </fix>
+      <add>
+        Add a note to the documentation about the risk of DoS with poorly
+        written regular expressions and the <code>RewriteValve</code>. Patch
+        provided by salgattas. (markt)
+      </add>
     </changelog>
   </subsection>
 </section>
diff --git a/webapps/docs/rewrite.xml b/webapps/docs/rewrite.xml
index bdeae86..645f4f2 100644
--- a/webapps/docs/rewrite.xml
+++ b/webapps/docs/rewrite.xml
@@ -423,6 +423,16 @@ public interface RewriteMap {
       which may already have matched a previous rule, and have been
       altered.</p>
 
+      <p><strong>Security warning:</strong> Due to the way Java's
+      regex matching is done, poorly formed regex patterns are vulnerable
+      to "catastrophic backtracking", also known as "regular expression
+      denial of service" or ReDoS. Therefore, extra caution should be used
+      for RewriteRule patterns. In general it is difficult to automatically
+      detect such vulnerable regex, and so a good defense is to read a bit
+      on the subject of catastrophic backtracking. A good reference is the
+      <a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">
+      OWASP ReDoS guide</a>.</p>
+
       <p>Some hints on the syntax of regular
       expressions:</p>
 
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 5018d70..7a56bf1 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -399,6 +399,10 @@
       handling can be configured within each web application. Alternatively, you
       can explicitly configure an <a href="config/valve.html">ErrorReportValve</a>
       and set its <strong>showReport</strong> attribute to <code>false</code>.</p>
+
+      <p>The RewriteValve uses regular expressions and poorly formed regex
+      patterns may be vulnerable to "catastrophic backtracking" or "ReDoS". See
+      <a href="rewrite.html">Rewrite docs</a> for more details.</p>
     </subsection>
 
     <subsection name="Realms">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org