Matomo ReDoS vulnerability (regex denial of service)

[bittner]

We have been contacted by junior security researchers who pointed out that one of our regular expressions in the Matomo module makes software using Analytical vulnerable to Regular expression Denial of Service attacks (ReDoS).

I'm publishing this information in the faith that this vulnerability cannot be exploited easily in our context, because the Matomo server URL is a configuration setting that is not user supplied.

Details

From analytical/templatetags/matomo.py, line 20:

# domain name (characters separated by a dot), optional port, optional URI path, no slash
DOMAINPATH_RE = re.compile(r'^(([^./?#@:]+\.)*[^./?#@:]+)+(:[0-9]+)?(/[^/?#@:]+)*$')

The problematic bit is the repetition (]+)+) after a piece that induces backtracking.

Anyone willing to assist in fixing this issue is very welcome! 🙏

Potential Solution Approaches

1. Simplify the regular expression (remove or limit the repetition)
2. Use urllib.parse.urlparse and/or related functions
3. A combination of 1. and 2.

Example: (note that urlparse alone seem unsuitable for our use case)

class MatomoNode(Node):
    def __init__(self):

        # avoid ReDoS vulnerability not using a regex with backtracking
        parsable_url = '//' + getattr(settings, 'MATOMO_DOMAIN_PATH', '')
        result = urlparse(parsable_url)
        if result.scheme or (not result.netloc and not result.path):
            # make this fail

Background Reading

• Cloudflare outage on July 2, 2019 (postmortem)
• OWASP attack description