Skip to content

Latest commit

 

History

History
97 lines (74 loc) · 7.2 KB

mitigations.md

File metadata and controls

97 lines (74 loc) · 7.2 KB

Mitigation Strategies Analysis for google/re2

Mitigation Strategy: Resource Limiting (re2 Configuration)

Mitigation Strategy: Configure re2 Memory Limits

Description:

  1. Determine Memory Limit: Determine a reasonable maximum memory limit for re2 operations. This depends on the application's expected workload and available resources. Start conservatively and increase if necessary, based on monitoring.

  2. Configure re2::RE2::Options: When creating re2::RE2 objects (or the equivalent in your language bindings), use the re2::RE2::Options class (or equivalent) to set the max_mem option. Example (C++):

    re2::RE2::Options options;
options.set_max_mem(1024 * 1024); // 1MB limit
re2::RE2 re("some_regex", options);

  3. Error Handling: Check the return value of re2::RE2::Match (or the equivalent matching function in your language bindings). If the memory limit is exceeded, re2 will return an error (or potentially throw an exception, depending on the bindings). Handle this error gracefully:

    • Log the error.
    • Reject the input associated with the failed match.
    • Provide a user-friendly error message (without revealing the specific memory limit).

  4. Monitoring: Monitor re2 memory usage in production. Use application performance monitoring (APM) tools or custom logging to track:

    • The frequency of memory limit errors.
    • The average and maximum memory usage of re2 operations.

  5. Adjust Limits: Based on monitoring data, adjust the memory limit as needed.

Threats Mitigated:

  • ReDoS (Resource Exhaustion): Prevents a single malicious input from consuming all available memory, even if the input is crafted to maximize re2's memory usage (within its linear-time constraints). Severity: Medium.

Impact:

  • ReDoS: Provides a strong defense against memory exhaustion attacks targeting re2. Risk reduction: High.

Currently Implemented:

  • Not implemented.

Missing Implementation:

  • No memory limits are configured for re2 in any part of the application.

Mitigation Strategy: re2 Compilation Error Handling

Mitigation Strategy: Robust Error Handling for Regex Compilation (re2-Specific)

Description:

  1. Check Compilation Status: Always check for successful compilation after attempting to compile a regular expression using re2. This is done differently depending on the language bindings:
    • C++: Check the return value of the re2::RE2 constructor (it returns a boolean) and check re2::RE2::ok().
    • Python (using the re module with re2): The re.compile() function (when using the re2 backend) will raise an exception (re2.error) on compilation failure. Use a try...except block.
    • Other Bindings: Consult the documentation for your specific language bindings to determine how to check for compilation errors.
  2. Detailed Error Logging (Development): During development and debugging, log the full error message provided by re2. In C++, use re2::RE2::error(). In Python, the exception object will contain the error message. This helps developers quickly identify and fix invalid regular expressions.
  3. Generic Error Messages (Production): In production, never expose the raw re2 error message to the user. Instead, provide a generic error message like "Invalid input format" or "An error occurred."
  4. Fallback Mechanism: Implement a well-defined fallback mechanism for cases where regular expression compilation fails. This might involve:
    • Rejecting the input.
    • Using a simpler, pre-validated regular expression (if applicable).
    • Logging the error and continuing with a default behavior (if appropriate and safe).
  5. Unit Tests: Write unit tests that specifically test for re2 compilation errors, including cases with invalid regular expression syntax. These tests should use the re2 API directly to attempt compilation.

Threats Mitigated:

  • Information Disclosure: Prevents leaking internal details about the application's regular expressions (and potentially the re2 version) through error messages. Severity: Low to Medium.
  • Application Instability: Prevents the application from crashing or behaving unexpectedly due to unhandled re2 compilation errors. Severity: Medium.

Impact:

  • Information Disclosure: Eliminates the risk of exposing sensitive information through re2 error messages. Risk reduction: High.
  • Application Instability: Improves application stability and reliability by handling re2 errors gracefully. Risk reduction: High.

Currently Implemented:

  • Partial implementation. Compilation status is checked, and errors are logged during development.
  • Generic error messages are used in production.

Missing Implementation:

  • No specific fallback mechanism is defined for all cases of re2 compilation failure. Some parts of the application might still behave unexpectedly.
  • Unit tests do not comprehensively cover all possible re2 compilation error scenarios.

Mitigation Strategy: Version Management (re2-Specific)

Mitigation Strategy: Regular Updates of the re2 Library

Description:

  1. Dependency Management: Use a robust dependency management system (e.g., vcpkg, Conan, system package manager, Maven/Gradle for Java, npm/yarn for JavaScript) to manage the re2 library. This ensures consistent versions across environments and simplifies updates.
  2. Update Policy: Establish a clear policy for updating re2. This should include:
    • Frequency of updates (e.g., monthly, quarterly, or whenever a security vulnerability is announced).
    • Testing procedures before deploying updates to production (including regression tests that specifically exercise re2 functionality).
  3. Vulnerability Scanning: Integrate vulnerability scanning tools into the CI/CD pipeline that specifically check for vulnerabilities in re2.
  4. Emergency Updates: Have a process in place for applying emergency updates to re2 in response to critical security vulnerabilities. This process should be fast and well-defined.
  5. Stay Informed: Subscribe to security mailing lists or follow the re2 project on GitHub to receive notifications about new releases and security advisories.

Threats Mitigated:

  • Known Vulnerabilities: Protects against known vulnerabilities in the re2 library itself that could be exploited by attackers. Severity: Varies depending on the vulnerability (potentially High).

Impact:

  • Known Vulnerabilities: Significantly reduces the risk of exploitation of known vulnerabilities in re2. Risk reduction: High.

Currently Implemented:

  • The project uses a dependency management system (vcpkg).
  • Basic vulnerability scanning is performed using GitHub Dependabot.

Missing Implementation:

  • No formal update policy is in place for re2. Updates are performed ad-hoc.
  • No dedicated process for emergency updates to re2.
  • Vulnerability scanning is not integrated into the CI/CD pipeline; it's only performed on the main branch and doesn't specifically target re2.