[Zope] More regular expressions security

Tue Wennerberg tue@wennerberg.dk
Sun, 19 Jan 2003 21:13:12 +0100


Oliver Bleutgen wrote:
> Tue Wennerberg wrote:
> 
>>
>> Regular expressions should be allowed by default.
>>
>> I've spent some time trying to find out why regular expressions are 
>> not allowed in Zope throught-the-web development.
>>
>> The answer I hear is: "Because it's a security issue". Digging a 
>> little deeper, it turns out to be because TTW script developers can 
>> cause a Denial of Service from Zope by writing a particular nasty 
>> regular expression in a script, causing Zope to use 100% cpu time.
> 
> 
> Well, I vaguely remember having participated in a discussion about that 
> also, and I believe I chipped in an example like:
> 
> for a in range(0,1000):
>   for b in range(0,1000):
>     for c in range(0,1000):
> 
> ... you get the picture.
>
> Thus demonstrating that a malicious scripter could always cause a DOS. 

My point exactly! The Zope book actually states:

   "Loop limits
   Scripts cannot create infinite loops. If your script loops a very
   large number of times Zope will raise an error. This restriction
   covers all kinds of loops including for and while loops. The reason
   or this restriction is to limit your ability to hang Zope by creating
   an infinite loop."

But I'm pretty sure there's always a way around this. Probably your 
example is one. Point is, you should be able to trust your script developer.

> The answer I got, IIRC, was that the point is not to guard against 
> maliciousness, but against stupidity. And if you think about it, it's 
> quite more likely someone writing a working, but extremely bad 
> performing regexp, which kills the server as soon as put into production 
> use, than someone accidently nesting loops like I wrote above.
> I don't know about you, but I think this argument is at least more 
> convincing than the "malicious scripter" one.

Well, now we're getting somewhere. I believe that "guarding against 
stupidity" is a much more valid point. However, still not valid enough 
that regular expressions should be banned, since regular expressions 
would be such a great feature for Zope.

In my eyes, a script developer should be trusted to create well-written 
code. In other words, badly developed scripts cause a badly developed 
site, which shouldn't surprise anyone. I don't think Zope should (or 
can) protect against stupidity. In my experience, when non-expert 
developers create regular expressions, they are always trivial 
expressions, which don't cause such problems.

Of course a programming error shouldn't be able to shutdown an entire 
system, but that should be solved in another way (e.g. resource control 
for individual processes/threads).

-- 
Mvh. Tue Wennerberg
Civilingeniør og Freelance Udvikler
http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735