Add internal regular expression timeouts

With default timeout from redos_regex_timeout configuration option.

Author: marksmith

lib/aikido/zen/config.rb

@@ -188,6 +188,11 @@ class Config
     #   Defaults to 15 entries.
     attr_accessor :attack_wave_max_cache_samples
 
+    # @return [Float, nil] the timeout in seconds for regular expression matching.
+    #  Applied to selected internal regular expressions to mitigate ReDoS risks.
+    #  Defaults to 1.0 seconds.
+    attr_accessor :redos_regexp_timeout
+
     def initialize
       self.insert_middleware_after = ::ActionDispatch::RemoteIp
       self.disabled = read_boolean_from_env(ENV.fetch("AIKIDO_DISABLE", false)) || read_boolean_from_env(ENV.fetch("AIKIDO_DISABLED", false))
@@ -227,6 +232,7 @@ def initialize
       self.attack_wave_min_time_between_events = 20 * 60 * 1000 # 20 min (ms)
       self.attack_wave_max_cache_entries = 10_000
       self.attack_wave_max_cache_samples = 15
+      self.redos_regexp_timeout = 1.0
     end
 
     # Set the base URL for API requests.

lib/aikido/zen/helpers.rb

@@ -19,6 +19,16 @@ def self.normalize_path(path)
         normalized_path.chomp!("/") unless normalized_path == "/"
         normalized_path
       end
+
+      # Returns a copy of the regexp with the timeout set if timeout is supported.
+      #
+      # @param regexp [Regexp] the regexp
+      # @return [Regexp] the regexp with timeout set
+      def self.regexp_with_timeout(regexp, timeout: Aikido::Zen.config.redos_regexp_timeout)
+        return regexp if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.2")
+
+        Regexp.new(regexp.source, regexp.options, timeout: timeout)
+      end
     end
   end
 end

lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -65,10 +65,10 @@ def attack?
         return false unless @query.include?(@input)
 
         # If the input is solely alphanumeric, we can ignore it
-        return false if /\A[[:alnum:]_]+\z/i.match?(@input)
+        return false if Aikido::Zen::Helpers.regexp_with_timeout(/\A[[:alnum:]_]+\z/i).match?(@input)
 
         # If the input is a comma-separated list of numbers, ignore it.
-        return false if /\A[ ,]*\d[ ,\d]*\z/.match?(@input)
+        return false if Aikido::Zen::Helpers.regexp_with_timeout(/\A[ ,]*\d[ ,\d]*\z/).match?(@input)
 
         Internals.detect_sql_injection(@query, @input, @dialect)
       rescue => err

test/aikido/zen/config_test.rb

@@ -37,6 +37,7 @@ class Aikido::Zen::ConfigTest < ActiveSupport::TestCase
     assert_equal 20, @config.api_schema_collection_max_properties
     assert_equal true, @config.stored_ssrf?
     assert_equal ["metadata.google.internal", "metadata.goog"], @config.imds_allowed_hosts
+    assert_equal 1.0, @config.redos_regexp_timeout
   end
 
   test "can set AIKIDO_DISABLE to configure if the agent should be turned off" do

test/aikido/zen/scanners/sql_injection_scanner_test.rb

@@ -278,18 +278,13 @@ def refute_attack(query, input = query, *args)
   test "it flags regular expression matching timeouts as attacks" do
     skip_if_ruby_lower_than("3.2")
 
-    begin
-      timeout = Regexp.timeout
-      Regexp.timeout = 0.01
+    input = "1," * 1 * 1024 * 1024
 
-      refute_attack "SELECT * FROM users WHERE id IN (123,)", "123,"
+    refute_attack "SELECT * FROM users WHERE id IN (#{input})", input
 
-      input = "1," * 1 * 1024 * 1024
+    Aikido::Zen.config.redos_regexp_timeout = 0.001
 
-      assert_attack "SELECT * FROM users WHERE id IN (#{input})", input
-    ensure
-      Regexp.timeout = timeout
-    end
+    assert_attack "SELECT * FROM users WHERE id IN (#{input})", input
   end
 
   test "attacks are not prevented if libzen can't be loaded" do