regex_redos.py: Check whether location-block contains ReDoS regexp.

[MegaManSec]

This plugin queries an external server (which must be set by by the caller) to check for any regular expressions used in location-blocks that are vulnerable to ReDoS vulnerabilities.

It is with great displeasure to provide this plugin in this format: by calling a web API. However, there is simply no other solution. This plugin is disabled by default, and requires an external HTTP server to setup to be used.

At the moment, only location blocks are checked, however in the future, more directives can be checked.

Amendments to this PR are highly appreciated.

Since it requires an external server, no checks are added.

Fixes #25.

[MegaManSec]

Example usage:

# gixy --regex-redos-url http://localhost:3001/recheck --tests regex_redos

==================== Results ===================

>> Problem: [regex_redos] Detect directives with regexes that are vulnerable to Regular Expression Denial of Service (ReDoS).
Description: Regular expressions with the potential for catastrophic backtracking allow an nginx server to be denial-of-service attacked with very low resources (also known as ReDoS).
Additional info: https://joshua.hu/regex-redos-nginx-gixy
Reason: Regex is vulnerable to 2nd degree polynomial ReDoS: /statis/(.*)\.js\.map.
Pseudo config:

server {
	server_name servername.com;

	location ~ /static/(.*)\.js\.map {
	}
}

TODO:

• the additional info link does not exist yet.
• README.md does not explain this check, or its flags. The README.md also does not explain the other flags plugins options: --origins-domains domains Default: * --origins-https-only https_only Default: False --regex-redos-url url Default: --add-header-redefinition-headers headers Default:

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud