A denial of service Regex breaks FastAPI security
2024年7月31日
0 分で読めますWelcome, fellow developers! In this blog post, we are going to delve deep into the world of application security, specifically focusing on a vulnerability that can deteriorate FastAPI security: Denial of service (DoS) caused by insecure regular expressions (regex). We'll explore how a poorly constructed regex can lead to what is known as regular expression denial of service (ReDoS), a form of DoS attack, and how these vulnerabilities can be identified and mitigated using a powerful developer security tool — Snyk.
What is ReDoS?
ReDoS is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression that takes a very long time to evaluate. The attacker submits a malicious string to a web form input or URL query parameter that is processed by a vulnerable regular expression. The time taken by the regular expression to process the string is more than polynomial, and in many cases, nearly exponential in relation to the input size, leading to very long processing times, thereby causing a denial of service.
Understanding ReDoS impact on FastAPI security in Python
Python, one of the most popular programming languages, has a vast ecosystem of packages and libraries. While these packages make our lives easier as developers, they also pose a potential risk if not properly secured. With the rapid pace of software development, packages are often updated and new versions are released, sometimes unknowingly introducing security risks.
One such risk is the potential for a ReDoS attack, a form of DoS attack in which an attacker provides malicious input to a regular expression that takes a very long time to evaluate. This causes the application to become unresponsive or slow down significantly, which can have serious implications, from a degraded user experience to complete application failure.
1import re
2pattern = re.compile("^(a+)+$")
3def check(input):
4 return bool(pattern.match(input))
5check("a" * 3000 + "!")
In the above code, the regular expression ^(a+)+$
is vulnerable to a ReDoS attack. If an attacker provides a string of 'a's followed by a non-'a' character, the regex takes a very long time to evaluate, effectively causing a DoS.
How Snyk can protect your FastAPI Python applications
Snyk is a developer-first security tool that can scan your Python code for potential ReDoS vulnerabilities. It provides detailed reports of the identified vulnerabilities and recommends the most suitable fixes.
1# After installing Snyk and setting up the Snyk CLI
2# you can scan your project:
3$ snyk test
This command will scan your third-party dependency manifest, usually at requirements.txt
file, and provide a report of all identified vulnerabilities, including potential ReDoS vulnerabilities. Sign up for a free Snyk account to start scanning your Python projects for ReDoS and other vulnerabilities today.
Understanding the impact of such vulnerabilities and how to mitigate them is critical to maintaining a secure Python application. This is where tools like Snyk come in handy. Snyk Open Source can help identify and fix security vulnerabilities in Python packages, including insecure regular expressions that can lead to a ReDoS attack.
Let's take a closer look at how to identify and mitigate such vulnerabilities in FastAPI Python web applications using Snyk.
FastAPI security vulnerability with CVE-2024-24762
FastAPI is a modern, high-performance web framework for building APIs with Python based on standard Python-type hints. Its key features are its speed and its ability to quickly and effortlessly build robust APIs, making it a popular choice for Python developers who need to build high-performance RESTful APIs.
FastAPI simplifies the process of building APIs by providing a routing mechanism, serialization/deserialization, and validation out of the box. It is built on top of Python projects Starlette for the web parts and Pydantic for the data parts. This allows developers to take advantage of the asynchronous features that are available in Python 3.6 and up.
As an example, creating a simple API with a FastAPI Python web application can be accomplished with the following code snippet:
1from fastapi import FastAPI
2app = FastAPI()
3@app.get("/")
4def read_root():
5 return {"Hello": "World"}
While FastAPI is a robust and agile tool for developing APIs, it is not devoid of vulnerabilities. One of these is the vulnerability to CVE-2024-24762. This is a denial-of-service vulnerability that originates in the regex used by the Python package python-multipart
.
The python-multipart
dependency is a Python library for parsing multipart/form data. It is commonly used as a dependency in FastAPI to manage form data.
The vulnerability occurs when an attacker sends a malicious string that causes the regular expression in python-multipart
to consume high amounts of CPU, leading to a denial of service (DoS). This is also known as a regular expression denial of service (ReDoS).
How would a Python developer mitigate this vulnerability? The first step is to identify the vulnerability in your project. This can be done using the Snyk CLI tool.
$ snyk test
Detecting vulnerabilities such as this requires scanning your project's dependencies, which will provide a report of all vulnerabilities in your project's dependencies.
The output of the Snyk test command finds the vulnerability:
1snyk test
2
3Testing /Users/lirantal/projects/repos/fastapi-vulnerable-redos-app...
4
5Tested 13 dependencies for known issues, found 1 issue, 1 vulnerable path.
6
7Issues to fix by upgrading dependencies:
8
9 Upgrade fastapi@0.109.0 to fastapi@0.109.1 to fix
10 ✗ Regular Expression Denial of Service (ReDoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-FASTAPI-6228055] in fastapi@0.109.0
11 introduced by fastapi@0.109.0
12
13Organization: liran.tal
14Package manager: pip
15Target file: requirements.txt
16Project name: fastapi-vulnerable-redos-app
To fix the vulnerability, you can upgrade to newer versions of the python-multipart
package and of fastapi
that have fixed the vulnerability, and these versions are suggested by Snyk.
How does the CVE-2024-24762 vulnerability affect FastAPI applications?
The CVE-2024-24762 vulnerability is a hypothetical example that demonstrates a ReDOS vulnerability in the FastAPI framework. If an attacker provided a malicious input to an endpoint that uses a vulnerable regular expression, it could cause the FastAPI application to consume excessive resources and become unresponsive, effectively taking it offline.
Building and breaking FastAPI security: A step-by-step guide
Our first step is to set up a new Python project. We'll need to install FastAPI, along with a server to host it on. Uvicorn is a good choice for a server because it is lightweight and works well with FastAPI.
Start by installing FastAPI, python-multipart, and Uvicorn with pip:
pip install fastapi==0.109.0 uvicorn python-multipart==0.0.6
Next, create a new directory for your project, and inside that directory, create a new file for your FastAPI application. You can call it main.py
.
Writing the FastAPI Python code
Now we're ready to write our FastAPI application code. Open main.py
and add the following Python code:
1from typing import Annotated
2from fastapi.responses import HTMLResponse
3from fastapi import FastAPI,Form
4from pydantic import BaseModel
5
6class Item(BaseModel):
7 username: str
8
9app = FastAPI()
10
11@app.get("/", response_class=HTMLResponse)
12async def index():
13 return HTMLResponse("Test", status_code=200)
14
15@app.post("/submit/")
16async def submit(username: Annotated[str, Form()]):
17 return {"username": username}
18
19@app.post("/submit_json/")
20async def submit_json(item: Item):
21 return {"username": item.username}
This simple FastAPI application has several routes (/), including /submit
, which uses a multipart form. When a POST request is received, the submit
route returns the username that was submitted.
Starting the server and running the application
With our FastAPI application code written, we can now start the Uvicorn server and run our application.
Use the following command to start the server:
uvicorn main:app --reload
You should see an output indicating that the server is running. You can test your application by navigating to http://localhost:8000
in your web browser. The message "Test" should be displayed on the page.
Breaking FastAPI security with a ReDoS attack
Now that our FastAPI application is running, we can test it for vulnerabilities. We'll use a ReDoS attack payload in the HTTP request to exploit the vulnerability in the python-multipart
package that parses the content-type header value.
If you have the curl
program installed, run the following command in your terminal:
1curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'
Securing your FastAPI application with Snyk
As you saw by now, open source dependencies play a key role in building Python applications. However, these third-party dependencies can sometimes be a breeding ground for vulnerabilities, thus posing significant security threats. In this context, Snyk Open Source emerges as a robust tool that helps developers identify and fix security issues effectively.
Imagine you could quickly find FastAPI security vulnerabilities already in the IDE panel when you write Python code instead of waiting until security scanners pick this up at a later stage.
The Snyk IDE extension is free, and if you’re using PyCharm, you can search for Snyk in the Plugins view and download it directly from there. If you’re using VS Code you can similarly find it in the Extensions marketplace right from the IDE.
Introduction to Snyk Open Source and its capabilities
Snyk Open Source is a powerful tool used for uncovering and addressing vulnerabilities in open source dependencies and container images. It is designed to integrate easily with the existing codebase and CI/CD systems, making it a handy tool for developers. It provides a comprehensive database of known vulnerabilities, enabling developers to proactively address potential breaches in security.
Step-by-step guide on how to scan Python dependencies for vulnerabilities with Snyk
To scan Python dependencies for vulnerabilities with Snyk, you first need to install the Snyk CLI. You can do this using one of the methods in the guide, or if you have a Node.js environment, you can quickly install Snyk with npm install -g snyk
and then run snyk auth
to authenticate.
Once installed, you can use the snyk test
command to check your Python project for vulnerabilities:
snyk test --all-projects
Snyk will then scan all your dependencies and compare them against its vulnerability database. If any issues are found, Snyk will provide a detailed report with information about the vulnerability, its severity, and possible fixes.
Monitoring your projects with Snyk is crucial to maintain the security of your application. With Snyk, not only can you detect vulnerabilities, but you can also apply automated fixes, which can save you time and resources.
In addition, Snyk offers vulnerability alerts that notify you about new vulnerabilities that may affect your projects. This allows you to stay one step ahead and fix security issues before they can be exploited.
With the snyk monitor
command, you can take a snapshot of your current project dependencies and monitor them for vulnerabilities:
snyk monitor
How to integrate Snyk with Git repositories
Integrating Snyk with your Git repositories allows you to automatically scan every commit for vulnerabilities. This can be done by adding Snyk as a webhook in your repository settings.
Once this is done, each push to your repository will trigger a Snyk scan, helping you catch and fix vulnerabilities as early as possible.
To conclude, Snyk Open Source is a valuable tool for maintaining the security of your Python projects. By scanning for vulnerabilities, monitoring your projects, and integrating with your Git repositories, Snyk enables you to maintain a robust, secure codebase. If you haven't already, sign up for a free Snyk account and start securing your applications today.