Skip to content
/ ReScue Public

An automated tool for the detection of regexes' slow-matching vulnerabilities.

License

Notifications You must be signed in to change notification settings

2bdenny/ReScue

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ReScue is under testing & debugging now.

Using ReScue

Simple use

Download the zip, decompress it, then:

cd release/
java -jar ReScue.jar

Sample output should be:

Input regex: (?=(a+)+b)aaabx
(?=(a+)+b)aaabx
1: <14 : 4.0 : aaabx>
===Initiate End===
Node Coverage: 14/14
find attack string when cross
===Genetic Algorithm End===
Node Coverage: 14/14
Vulnerable: babaaabbaaaaaaaaaaaaaaaa
100027 : 4001.08 : babaaabbaaaaaaaaaaaaaaaa
100017 : 7144.071428571428 : aaaaaaaaaaaaa
1000029 : aaaaaaaaaaaaaaaaa
1000244 : 27 : aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
100000246 : aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
TIME: 20.548258612 (s)
Attack success, attack string is:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Batch test

Download the zip, decompress it, then:

  1. Put your regexes in one file, like my_regexes.txt, a regex per line
  2. Put the file in test/data/
  3. Find manul of how to run the test script:
cd test/
python batchtester.py
  1. Or just run the test:
python batchtester.py -a -reg my_regexes.txt
  1. Wait a lot of time, and be careful about your CPU, monitor it by htop or something else
  2. Auto collect the evaluation result:
python batchtester.py -c -logDir ./test/logs/ReScue.jar/my_regexes.txt/<digits>/
  1. You will get some report like this:
Attack Summary
First Success: 0
Real Success: 0
Failed: 22
	Pumping: 0; Timeout: 0; Normal: 22; Init: 0; Cross: 0; Select: 0
Unparsable: 3
Total: 25
Node Coverage: init/ga/total 179/179/194
  1. And you can find the attack strings in the logDir

Directory

ReScue
├─jars 		# Put dependencies here (prefuse.jar, etc.)
├─release	# ReScue.jar
├─src/cn/edu/nju/moon/redos/
│     ├─attackers
│     │  ├─ga
│     │  │  ├─crossovers
│     │  │  ├─initiators
│     │  │  ├─mutators
│     │  │  └─selectors
│     │  └─pp
│     ├─regex
│     ├─tester	# Look at the MyTester.java, you can add your own tester here
│     └─utils
└─test
	├─data				# Put regexes txt files here
	└─scripts			# Some scripts used for evaluation

Dependencies

Dependencies can be installed by maven automatically now, I love maven!

Following is the deprecated dependencies intro

  1. JDK 1.8 and Python3
  2. The prefuse visualization toolkit: prefuse.jar
  3. junit-4.12.jar
  4. hamcrest-core-1.3.jar
  5. commons-lang-2.6.jar

Confirmed ReDoS vulnerabilities

  1. nhn/tui.editor#141
  2. ajaxorg/ace#3638
  3. meteor/meteor#9731
  4. openstates/openstates-scrapers#2020

ReDoS vulnerabilities under testing

  1. metabase/metabase#7354
  2. prose/prose#1071
  3. adobe/brackets#14154

Document Build Instructions

  1. This is a temporary solution
  2. The main class for ReScue is located in cn.edu.nju.moon.redos.tester.RedosTester.java
  3. To build the jar file, create a java project in Eclipse on directory ReScue and use File - Export-Runnable JAR File - Launch configuration: RedosTester to generate it
  4. Do not forget to import dependencies in Java Build Path

About

An automated tool for the detection of regexes' slow-matching vulnerabilities.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •