This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 32499f6 Add note on RewriteValve and potential ReDoS
32499f6 is described below
commit 32499f6482a5ee6759ff61351eed6eb22b8d4522
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Sun Apr 7 22:00:30 2019 +0100
Add note on RewriteValve and potential ReDoS
Patch provided by salgattas
---
java/org/apache/catalina/valves/rewrite/RewriteValve.java | 14 ++++++++++++++
webapps/docs/changelog.xml | 5 +++++
webapps/docs/rewrite.xml | 10 ++++++++++
webapps/docs/security-howto.xml | 4 ++++
4 files changed, 33 insertions(+)
diff --git a/java/org/apache/catalina/valves/rewrite/RewriteValve.java
b/java/org/apache/catalina/valves/rewrite/RewriteValve.java
index 6be2fe4..220aa60 100644
--- a/java/org/apache/catalina/valves/rewrite/RewriteValve.java
+++ b/java/org/apache/catalina/valves/rewrite/RewriteValve.java
@@ -53,6 +53,20 @@ import org.apache.tomcat.util.buf.UDecoder;
import org.apache.tomcat.util.buf.UriUtil;
import org.apache.tomcat.util.http.RequestUtil;
+/**
+ * Note: Extra caution should be used when adding a Rewrite Rule. When
+ * specifying a regex to match for in a Rewrite Rule, certain regex could allow
+ * an attacker to DoS your server, as Java's regex parsing is vulnerable to
+ * "catastrophic backtracking" (also known as "Regular expression Denial of
+ * Service", or ReDoS). There are some open source tools to help detect
+ * vulnerable regex, though in general it is a hard problem. A good defence is
+ * to use a regex debugger on your desired regex, and read more on the subject
+ * of catastrophic backtracking.
+ *
+ * @see <a href=
+ *
"https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS";>OWASP
+ * ReDoS</a>
+ */
public class RewriteValve extends ValveBase {
/**
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b087a89..817501f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -144,6 +144,11 @@
information on the supported directives and their attributes. Patch
provided by nightwatchcyber. (markt)
</fix>
+ <add>
+ Add a note to the documentation about the risk of DoS with poorly
+ written regular expressions and the <code>RewriteValve</code>. Patch
+ provided by salgattas. (markt)
+ </add>
</changelog>
</subsection>
</section>
diff --git a/webapps/docs/rewrite.xml b/webapps/docs/rewrite.xml
index bdeae86..645f4f2 100644
--- a/webapps/docs/rewrite.xml
+++ b/webapps/docs/rewrite.xml
@@ -423,6 +423,16 @@ public interface RewriteMap {
which may already have matched a previous rule, and have been
altered.</p>
+ <p><strong>Security warning:</strong> Due to the way Java's
+ regex matching is done, poorly formed regex patterns are vulnerable
+ to "catastrophic backtracking", also known as "regular expression
+ denial of service" or ReDoS. Therefore, extra caution should be used
+ for RewriteRule patterns. In general it is difficult to automatically
+ detect such vulnerable regex, and so a good defense is to read a bit
+ on the subject of catastrophic backtracking. A good reference is the
+ <a
href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS";>
+ OWASP ReDoS guide</a>.</p>
+
<p>Some hints on the syntax of regular
expressions:</p>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 5018d70..7a56bf1 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -399,6 +399,10 @@
handling can be configured within each web application. Alternatively,
you
can explicitly configure an <a
href="config/valve.html">ErrorReportValve</a>
and set its <strong>showReport</strong> attribute to
<code>false</code>.</p>
+
+ <p>The RewriteValve uses regular expressions and poorly formed regex
+ patterns may be vulnerable to "catastrophic backtracking" or "ReDoS". See
+ <a href="rewrite.html">Rewrite docs</a> for more details.</p>
</subsection>
<subsection name="Realms">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
