Skip to content

Latest commit

 

History

History
92 lines (73 loc) · 8.27 KB

mitigations.md

File metadata and controls

92 lines (73 loc) · 8.27 KB

Mitigation Strategies Analysis for mtdowling/cron-expression

Mitigation Strategy: Strict Input Validation (Whitelisting)

  1. Define Allowed Characters: Create a regular expression that precisely defines the allowed characters and structure of a valid cron expression for your application. Start with a very restrictive regex and only add what's absolutely necessary. Example (adjust to your needs!): 
    var validCronRegex = regexp.MustCompile(`^(\*|\d+(-\d+)?(,\d+(-\d+)?)*)(/\d+)? (\*|\d+(-\d+)?(,\d+(-\d+)?)*)(/\d+)? (\*|\d+(-\d+)?(,\d+(-\d+)?)*)(/\d+)? (\*|\d+(-\d+)?(,\d+(-\d+)?)*)(/\d+)? (\*|\d+(-\d+)?(,\d+(-\d+)?)*)(/\d+)?$`);
  2. Validate Before Parsing: Before calling cron.Parse(), use the validCronRegex.MatchString(inputString) function to check if the input cron expression matches the allowed pattern.
  3. Reject Invalid Input: If the input does not match the regex, immediately reject it. Do not attempt to sanitize or modify the input. Return a clear error message (e.g., "Invalid cron expression format").
  4. Additional Range Checks (Optional but Recommended): After the regex match, perform additional checks to ensure that the numerical values within each field are within the allowed ranges (e.g., minutes: 0-59, hours: 0-23, etc.). This adds another layer of validation.
  5. Whitelist specific non-standard descriptors: If you use non-standard descriptors, create a list of allowed descriptors.

  • Threats Mitigated:

    • Denial of Service (DoS) via Complex Expressions (High Severity): Maliciously crafted, overly complex cron expressions can cause excessive CPU and memory consumption during parsing, leading to a denial-of-service attack. Strict validation prevents these complex expressions from being processed.
    • Unexpected Behavior (Medium Severity): Invalid or unexpected cron expressions could lead to the scheduler running tasks at unintended times or with unintended frequencies. Validation ensures only expected expressions are used.
    • (Low Probability, but possible) Code Execution via Unsafe Output Handling (Critical Severity): If the output of the cron library (calculated dates) is used unsafely (e.g., in shell commands without escaping), a carefully crafted input could (though unlikely with this specific library) influence the output in a way that leads to code execution. Strict input validation minimizes the attack surface.

  • Impact:

    • DoS: Significantly reduces the risk of DoS attacks caused by malicious cron expressions. The risk is reduced from high to low.
    • Unexpected Behavior: Eliminates the risk of unexpected behavior due to invalid input. The risk is reduced from medium to negligible.
    • Code Execution: Indirectly reduces the risk by limiting the potential for manipulated output. The risk is reduced from low probability to extremely low probability.

  • Currently Implemented:

    • Basic regex validation is implemented in the validateCronExpression function in utils/cron_validator.go.
    • This function is called before parsing any cron expression received from user input in the api/schedule_task.go endpoint.

  • Missing Implementation:

    • The config/scheduler_config.go file reads cron expressions from a configuration file. No validation is currently performed on these expressions. This is a potential vulnerability if the configuration file can be tampered with.
    • Range checks (e.g., ensuring minutes are between 0-59) are not currently implemented.
    • Non-standard descriptors are not explicitly whitelisted.

Mitigation Strategy: Resource Limitation (Timeout and Iteration Limit)

  1. Context with Timeout for Parsing: Wrap all calls to cron.Parse() within a context.WithTimeout(). This sets a maximum time limit for the parsing operation. 
    ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) // Example: 5 seconds
defer cancel()
expr, err := cron.Parse(expression, cron.WithContext(ctx))
  2. Context with Timeout for Date Calculation: Similarly, wrap calls to GetNext(), GetPrev(), and any other methods that calculate dates with a context.WithTimeout(). ```go ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) // Example: 2 seconds defer cancel() nextTime := expr.Next(currentTime, cron.WithContext(ctx))
  3. Iteration Limit: When calling GetNext() or GetPrev() repeatedly (e.g., to get multiple future execution times), implement a maximum iteration count to prevent infinite loops or excessively long calculations. 
    maxIterations := 100
for i := 0; i < maxIterations; i++ {
    // ... get next execution time with timeout ...
}
  4. Choose Appropriate Timeout Values: The timeout values (e.g., 5 seconds, 2 seconds) should be chosen based on the expected complexity of the cron expressions and the performance characteristics of your system. Start with relatively short timeouts and adjust as needed.

  • Threats Mitigated:

    • Denial of Service (DoS) via Long-Running Calculations (High Severity): Malicious expressions could be designed to cause extremely long calculation times for GetNext() or GetPrev(), tying up resources. Timeouts prevent these calculations from running indefinitely.
    • Denial of Service (DoS) via Infinite Loops (High Severity): Certain expressions might lead to infinite loops when calculating future times. The iteration limit prevents this.

  • Impact:

    • DoS (Long-Running Calculations): Significantly reduces the risk of DoS by limiting the execution time of date calculations. Risk reduced from high to low.
    • DoS (Infinite Loops): Eliminates the risk of DoS due to infinite loops. Risk reduced from high to negligible.

  • Currently Implemented:

    • Timeouts are implemented for cron.Parse() calls in api/schedule_task.go.

  • Missing Implementation:

    • Timeouts are not consistently implemented for GetNext() and GetPrev() calls throughout the application. Specifically, the scheduler/worker.go component, which handles the actual execution of scheduled tasks, does not use timeouts when calculating the next execution time.
    • An iteration limit is not implemented anywhere in the code.

Mitigation Strategy: Error Handling

  1. Check for Errors: Always check the error return value from cron.Parse() and other cron-expression functions.

  2. Log Detailed Errors: Log any errors, including the input cron expression that caused the error, to a secure log file. This is crucial for debugging and identifying potential attacks.

  3. Generic User Messages: Do not expose internal error messages or stack traces to the user. Instead, return a generic error message, such as "Invalid input" or "An error occurred."

  4. Handle Timeouts: When using contexts with timeouts, handle the context.DeadlineExceeded error appropriately. Log the timeout and return a suitable error message.

    • Threats Mitigated:

      • Information Disclosure (Medium Severity): Prevents sensitive information (e.g., internal code structure, library versions) from being leaked to attackers through error messages.
      • Debugging and Auditing (Low Severity): Proper error logging facilitates debugging and auditing, making it easier to identify and fix issues, including security vulnerabilities.

    • Impact:

      • Information Disclosure: Reduces the risk of information disclosure. Risk reduced from medium to low.
      • Debugging and Auditing: Improves the ability to debug and audit the application.

    • Currently Implemented:

      • Basic error checking is performed for cron.Parse() in api/schedule_task.go.

    • Missing Implementation:

      • Error handling is inconsistent throughout the application. Some functions do not check for errors or do not log them properly.
      • Error messages returned to the user are sometimes too verbose and may reveal internal details.
      • Timeout errors are not always handled explicitly.