Skip to content

Use fuzzing for searching ReDoS attack opportunities #2294

Description

@Markoutte

Description

Fuzzing has the potential to detect ReDoS attack opportunities.

Example: Found vulnerability in sqlparse library.

Expected behavior

Now we could write a test like:

boolean test(String str) {
    if (Pattern.compile("a|a*").matcher(str).matches()) {
        return true;
    }
    return false;
}

All tests which are marked as timeout can be recognized as a bad input.

Metadata

Metadata

Assignees

Labels

ctg-enhancementNew feature, improvement or change request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions