1.0.0rc1

b-c-ds · bcaller · commit f6140409a37a · 2021-03-09T22:11:08.000Z
diff --git a/README.md b/README.md
@@ -1,23 +1,21 @@
 # Regexploit
 
-Regular Expression Denial of Service (ReDoS).
+Find regexes which are vulnerable to Regular Expression Denial of Service (ReDoS).
 
-Most default regular expression parsers (non-deterministic finite automata) have unbounded worst-case complexity. Regex matching may be quick when presented with a matching input string. However, certain non-matching input strings can make the regular expression matcher go into crazy loops and take ages to process. This can cause denial of service, as the CPU will be stuck trying to match the regex.
+Many default regular expression parsers have unbounded worst-case complexity. Regex matching may be quick when presented with a matching input string. However, certain non-matching input strings can make the regular expression matcher go into crazy backtracking loops and take ages to process. This can cause denial of service, as the CPU will be stuck trying to match the regex.
 
 This tool is designed to:
 *  find regular expressions which are vulnerable to ReDoS
 *  give an example malicious string which will cause catastrophic backtracking
 
-Something something regexes are bad.
-
 ## Worst-case complexity
 
 This reflects the complexity of the regular expression matcher's backtracking procedure with respect to the length of the entered string.
 
 Cubic complexity here means that if the vulnerable part of the string is doubled in length, the execution time should be about 8 times longer (2^3).
 For exponential ReDoS with starred stars e.g. `(a*)*$` a fudge factor is used and the complexity will be greater than 10.
 
-For explotability, a cubic complexity or higher is typically required unless truly giant strings are allowed as input.
+For explotability, cubic complexity or higher is typically required unless truly giant strings are allowed as input.
 
 ## Example
 
@@ -41,7 +39,7 @@ To scan the installed python modules run `regexploit-python-env`.
 
 ```
 Importing ua_parser.user_agent_parser
-Vulnerable regex in /Users/b3n/Research/redosauto/.env/lib/python3.9/site-packages/ua_parser/user_agent_parser.py #183
+Vulnerable regex in /somewhere/.env/lib/python3.9/site-packages/ua_parser/user_agent_parser.py #183
 Pattern: \bSmartWatch *\( *([^;]+) *; *([^;]+) *;
 Context: self.user_agent_re = re.compile(self.pattern)
 ---
@@ -53,7 +51,7 @@ Worst-case complexity: 3 ⭐⭐⭐
 Repeated character: [20]
 Example: 'SmartWatch(0;' + ' ' * 3456
 
-Vulnerable regex in /Users/b3n/Research/redosauto/.env/lib/python3.9/site-packages/ua_parser/user_agent_parser.py #183
+Vulnerable regex in /somewhere/.env/lib/python3.9/site-packages/ua_parser/user_agent_parser.py #183
 Pattern: ; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\)
 Context: self.user_agent_re = re.compile(self.pattern)
 ---
@@ -67,15 +65,19 @@ For each vulnerable regular expression it prints one or more malicious string to
 
 # Installation
 
-For now, clone and run
+Python 3.8+ is required. To extract regexes from JavaScript / TypeScript code, NodeJS 12+ is also required.
+
+Optionally make a virtual environment
 
 ```bash
-# Optionally make a virtualenv
 python3 -m venv .env
 source .env/bin/activate
-# Now actually install
-pip install -e .
-(cd regexploit/bin/javascript; npm install --production)
+```
+
+Now actually install with pip
+
+```
+pip install regexploit
 ```
 
 # Usage
@@ -93,62 +95,51 @@ or via a file
 ```bash
 cat myregexes.txt | regexploit
 ```
-
-Nothing is printed when no ReDoS is found.
-
-## Python imports
-
-Search for regexes in all the python modules currently installed in your path / env. This means you can `pip install` whatever modules you are interested in and they will be analysed. Cpython code is included.
-
-```bash
-regexploit-python-env
-```
-
-N.B. this doesn't parse the python code to an AST and will only find regexes compiled automatically on module import. Modules are actually imported, so code in the modules will be executed.
-
-
 ## Python code
 
-Parses Python code (without executing it) via the AST to find regexes (with some false positives). The regexes are then analysed for ReDoS.
+Parses Python code (without executing it) via the AST to find regexes. The regexes are then analysed for ReDoS.
 
 ```bash
-regexploit-py my-project/stuff.py
+regexploit-py my-project/
 regexploit-py "my-project/**/*.py" --glob
 ```
-
 ## Javascript / Typescript
 
-This will use the bundled NodeJS package in `regexploit/bin/javascript` which parses your javascript as an AST with [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/master/packages/parser) and prints out all regexes.
+This will use the bundled NodeJS package in `regexploit/bin/javascript` which parses your javascript as an AST with [eslint](https://github.com/typescript-eslint/typescript-eslint/tree/master/packages/parser) and prints out all regexes.
 
 Those regexes are fed into the python ReDoS finder.
 
 ```bash
-regexploit-js my-module/my-file.js another/file.js
+regexploit-js my-module/my-file.js another/file.js some/folder/
 regexploit-js "my-project/node_modules/**/*.js" --glob
 ```
 
-N.B. there are differences between javascript and python regex parsing so there may be some errors. I'm [not sure I want](https://hackernoon.com/the-madness-of-parsing-real-world-javascript-regexps-d9ee336df983) to write a JS regex AST! Also, use NodeJS version >=12.
+N.B. there are differences between javascript and python regex parsing so there may be some errors. I'm [not sure I want](https://hackernoon.com/the-madness-of-parsing-real-world-javascript-regexps-d9ee336df983) to write a JS regex AST!
 
-## Ruby
-
-TODO: not so straight forward to extract the regexes because of the way they are often built up from multiple strings.
-
-## PHP
+## Python imports
 
-TODO: not so straight forward to extract the regexes because of the way they are often built up from multiple strings. Can maybe grep for simple uses of `preg_match` and pipe into `regexploit`.
+Search for regexes in all the python modules currently installed in your path / env. This means you can `pip install` whatever modules you are interested in and they will be analysed. Cpython code is included.
 
-## Golang / anything using re2
+```bash
+regexploit-python-env
+```
 
-Unless you specifically use a non-deterministic finite automata, Go code is not vulnerable to this type of ReDoS. It uses `re2` which does not have catastrophic backtracking.
+N.B. this doesn't parse the python code to an AST and will only find regexes compiled automatically on module import. Modules are actually imported, **so code in the modules will be executed**. This is helpful for finding regexes which are built up from smaller strings on load e.g. [CVE-2021-25292 in Pillow](https://github.com/python-pillow/Pillow/commit/3bce145966374dd39ce58a6fc0083f8d1890719c)
 
 ## JSON / YAML
 
+Yaml requires pyyaml, which can be installed with `pip install regexploit[yaml]`.
+
 ```bash
 regexploit-json *.json
 regexploit-yaml *.yaml
 ```
+## C# (.NET)
 
-# Bugs reported
+```bash
+regexploit-csharp something.cs
+```
+# :trophy: Bugs reported :trophy:
 
 * [bpo-38804: cpython's http.cookiejar](https://github.com/python/cpython/pull/17157) (Set-Cookie header parsing)
 * [CVE-2020-5243: uap-core](https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p) affecting uap-python, [uap-ruby](https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw), etc. (User-Agent header parsing)
@@ -161,7 +152,8 @@ regexploit-yaml *.yaml
 * [CVE-2021-27291: pygments](https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14) lexers for ADL, CADL, Ceylon, Evoque, Factor, Logos, Matlab, Octave, ODIN, Scilab & Varnish VCL (Syntax highlighting)
 * [CVE-2021-27292: ua-parser-js](https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566) (User-Agent header parsing)
 * [CVE-2021-27293: RestSharp](https://github.com/restsharp/RestSharp/issues/1556) (JSON deserialisation in a .NET C# package)
-* Plus unpublished bugs in pypi packages, npm packages and a nuget (C#) package
+* CVE-2021-28092: to be released
+* Plus unpublished bugs in a handful of pypi, npm, ruby and nuget packages
 
 ## Credits
 
diff --git a/setup.py b/setup.py
@@ -5,9 +5,9 @@
 
 setuptools.setup(
     name="regexploit",
-    version="0.0.1",
+    version="1.0.0rc1",
     author="Ben Caller :: Doyensec",
-    author_email="REMOVE.THIS.PREFIX.ben@doyensec.com",
+    author_email="REMOVETHISPREFIX.ben@doyensec.com",
     description="Find regular expressions vulnerable to ReDoS",
     long_description=long_description,
     long_description_content_type="text/markdown",
