ReDos Vulnerability on Torchx

[aydinnyunus]

Report on ReDoS Vulnerability

Overview:
A Regular Expression Denial of Service (ReDoS) vulnerability has been identified in the validate function of the codebase. This vulnerability could allow an attacker to craft a malicious input that causes excessive processing time when passed through the regular expression used for CSS validation, potentially leading to a denial of service (DoS) attack.

• https://github.com/pytorch/torchx/blob/main/torchx/cli/cmd_log.py#L35

Impact:
The vulnerability allows an attacker to construct a specially crafted input string that triggers catastrophic backtracking in the regular expression. This could cause the function to consume an excessive amount of CPU time and degrade system performance, potentially leading to a denial of service.

Recommendation:
To mitigate this vulnerability, it is recommended to switch to more efficient and safer methods for CSS sanitization, such as using established libraries like Bleach or the latest version of html5lib. These libraries are designed to handle input safely and efficiently, reducing the risk of ReDoS vulnerabilities.

Proof of Concept (PoC):

// Define the vulnerable regular expression
const regex = /^\w+:\/\/[^/]*\/[^/]+(\/[^/]+(\/(\d+,?)+)?)?$/;

// Define the malicious input causing ReDoS
const maliciousInput = 'A:///,/A/0' + '0'.repeat(31) + ':/:';

// Perform the match operation
const startTime = Date.now();
const isVulnerable = regex.test(maliciousInput);
const endTime = Date.now();

// Calculate the time taken
const timeTaken = endTime - startTime;

// Print the result
console.log(`Is vulnerable: ${isVulnerable}`);
console.log(`Time taken: ${timeTaken} milliseconds`);

[Sanjay-Ganeshan]

Hi @aydinnyunus - thanks for the report!

Since this is run locally on users' or clusters' machines, generally on a string handle that's programmatically generated, rather than on any sort of web service backend, I don't think exploiting this vulnerability can lead to a DoS.

At worst, it degrades the user experience of the bad actor, on their own CPUs.

The mention of "CSS sanitization" makes me think this might be being flagged by some sort of automation. If the vulnerability appears in any Python file that uses re, perhaps the change is best directed towards the folks at https://github.com/python/cpython ?

[aydinnyunus]

Hi @Sanjay-Ganeshan,

I mentioned wrong on CSS Sanitization it is used on CmdLog class. Also python re package did not check the ReDOS vulnerability but it should be used safely when using regex.

I am not familiar with torchx but I created the issue because I think the case that web service uses torchx binary on backend and use regex filter. Is this case possible if not maybe we can close the issue.