Merge pull request #113 from ossf/redos_excesses

ReDoS clarification

Author: david-a-wheeler

secure_software_development_fundamentals.md

@@ -1672,10 +1672,13 @@ There are many solutions to this problem, including the following:
 
 4. Implement a timeout, on the regex (if supported) or on the application as a whole. For example, [Ruby 3.2](https://www.ruby-lang.org/en/news/2022/04/03/ruby-3-2-0-preview1-released/) supports a global regex timeout value (`Regexp.timeout`) and a timeout parameter when instantiating a regular expression object. The [.NET framework MatchTimeout mechanisms](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.matchtimeout) can also set a global timeout value or one for each regex.
 
-5. Don’t run regexes provided by attackers on systems you trust. It is okay for an adversary to provide a regex that they themselves always run (in that case, attackers just attack themselves). But if attackers can provide regexes that you run, they may be able to cause a ReDOS (unless you have taken other steps to prevent it). Regexes are, in general, programming languages, and you should generally avoid running attacker-provided programs. It is possible to do it relatively securely, but you need to take a lot of precautions and it is always more secure to just not do it.
+5. Don’t run regexes provided by attackers on systems other than their own. It is okay for an adversary to provide a regex that they themselves always run (in that case, attackers just attack themselves). But if attackers can provide regexes that you run, they may be able to cause a ReDOS (unless you have taken other steps to prevent it). Regexes are, in general, programming languages, and you should generally avoid running attacker-provided programs. It is possible to do it relatively securely, but you need to take a lot of precautions and it is always more secure to just not do it.
 
 If you are interested in more details, see the [OWASP discussion](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) about this.
 
+Note: ReDoS is often *not* a real vulnerability. Such regexes can *only* be a vulnerability if they run on a trusted system and process untrusted input. There are many tools that can detect regexes that are vulnerable to ReDoS but don't determine if the input sources are untrusted. Such tools can flood developers with so-called "vulnerabilities" that aren't really vulnerabilities. In addition, in some cases countermeasures (like maximum input sizes and timeouts) effectively eliminate ReDoS effectiveness. Even when a regex processes untrusted inputs and these countermeasures fail, ReDoS at *most* will cause a denial of service, not a loss of confidentiality or integrity. Thus, while ReDoS can be a real vulnerability, it's often not a vulnerability or is less important. If you find yourself dealing with a large number of ReDoS vulnerability reports, recheck to see if these are real vulnerabilities.
+(See [Enosuchblog's "ReDoS "vulnerabilities" and misaligned incentives"](https://blog.yossarian.net/2022/12/28/ReDoS-vulnerabilities-and-misaligned-incentives).)
+
 #### Quiz 1.5: Countering ReDoS Attacks on Regular Expressions
 
 \>\>Which of these are *practical* ways to mitigate ReDoS attacks? Select all answers that apply.<<
@@ -5966,6 +5969,8 @@ Dulin, Maxwell (ꓘ), Finding an Authorization Bypass on my Own Website, 2022-03
 
 ECMA, ECMA-262, 12th edition, June 2021, ECMAScript® 2021 Language Specification, “The Number Type” ([https://www.ecma-international.org/ecma-262/11.0/index.html#sec-ecmascript-language-types-number-type]((https://www.ecma-international.org/ecma-262/11.0/index.html#sec-ecmascript-language-types-number-type))
 
+Enosuchblog, 2022-12-28, "ReDoS "vulnerabilities" and misaligned incentives", <https://blog.yossarian.net/2022/12/28/ReDoS-vulnerabilities-and-misaligned-incentives>
+
 Enable Cross-Origin Resource Sharing ([https://enable-cors.org/](https://enable-cors.org/))
 
 Flatt Security Inc,, "Finding an unseen SQL Injection by bypassing escape functions in mysqljs/mysql", 2022-02-21, (<https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4>)