欢迎各位开发者!在这篇博文中,我们将深入研究应用程序安全领域,特别关注可能恶化 FastAPI 安全性的漏洞:由不安全的正则表达式 (regex) 导致的拒绝服务 (DoS)。我们将探讨构造不良的正则表达式如何导致所谓的正则表达式拒绝服务 (ReDoS)(一种 DoS 攻击),以及如何使用强大的开发人员安全工具 Snyk 来识别和缓解这些漏洞。
Python 是最流行的编程语言之一,拥有庞大的包和库生态系统。虽然这些软件包让我们作为开发人员的生活变得更轻松,但如果没有得到适当的保护,它们也会带来潜在的风险。随着软件开发的快速发展,软件包经常更新、新版本发布,有时会在不知不觉中引入安全风险。
其中一个风险是潜在的 ReDoS 攻击,这是一种 DoS 攻击,攻击者向需要很长时间才能评估的正则表达式提供恶意输入。这会导致应用程序变得无响应或显着减慢,这可能会产生严重的影响,从用户体验下降到应用程序完全失败。
import re pattern = re.compile("^(a+)+$") def check(input): return bool(pattern.match(input)) check("a" * 3000 + "!")
在上面的代码中,正则表达式^(a+)+$容易受到ReDoS攻击。如果攻击者提供一串“a”后跟一个非“a”字符,则正则表达式需要很长时间来评估,从而有效地导致 DoS。
Snyk 是一款开发人员优先的安全工具,可以扫描您的 Python 代码以查找潜在的 ReDoS 漏洞。它提供已识别漏洞的详细报告并推荐最合适的修复方案。
# After installing Snyk and setting up the Snyk CLI # you can scan your project: $ snyk test
此命令将扫描您的第三方依赖项清单(通常在requirements.txt 文件中),并提供所有已识别漏洞的报告,包括潜在的ReDoS 漏洞。立即注册免费的 Snyk 帐户,开始扫描您的 Python 项目是否存在 ReDoS 和其他漏洞。
了解此类漏洞的影响以及如何缓解它们对于维护安全的 Python 应用程序至关重要。这就是 Snyk 这样的工具派上用场的地方。 Snyk Open Source 可以帮助识别和修复 Python 包中的安全漏洞,包括可能导致 ReDoS 攻击的不安全正则表达式。
让我们仔细看看如何使用 Snyk 识别和缓解 FastAPI Python Web 应用程序中的此类漏洞。
FastAPI 是一个现代的高性能 Web 框架,用于基于标准 Python 类型提示使用 Python 构建 API。它的主要特点是速度以及快速、轻松地构建强大 API 的能力,使其成为需要构建高性能 RESTful API 的 Python 开发人员的热门选择。
FastAPI 通过提供开箱即用的路由机制、序列化/反序列化和验证来简化构建 API 的过程。它构建在用于 Web 部分的 Python 项目 Starlette 和用于数据部分的 Pydantic 之上。这允许开发人员利用 Python 3.6 及更高版本中提供的异步功能。
作为示例,可以使用以下代码片段来完成使用 FastAPI Python Web 应用程序创建简单的 API:
from fastapi import FastAPI app = FastAPI() @app.get("/") def read_root(): return {"Hello": "World"}
虽然 FastAPI 是一个强大而敏捷的 API 开发工具,但它并非没有漏洞。其中之一是 CVE-2024-24762 漏洞。这是一个拒绝服务漏洞,源自 Python 包 python-multipart 使用的正则表达式。
python-multipart 依赖项是一个用于解析多部分/表单数据的 Python 库。它通常用作 FastAPI 中的依赖项来管理表单数据。
当攻击者发送恶意字符串,导致 python-multipart 中的正则表达式消耗大量 CPU,从而导致拒绝服务 (DoS) 时,就会出现该漏洞。这也称为正则表达式拒绝服务 (ReDoS)。
Python 开发人员如何缓解此漏洞?第一步是识别项目中的漏洞。这可以使用 Snyk CLI 工具来完成。
$ snyk test
检测此类漏洞需要扫描项目的依赖项,这将提供项目依赖项中所有漏洞的报告。
Snyk 测试命令的输出发现了漏洞:
snyk test Testing /Users/lirantal/projects/repos/fastapi-vulnerable-redos-app... Tested 13 dependencies for known issues, found 1 issue, 1 vulnerable path. Issues to fix by upgrading dependencies: Upgrade fastapi@0.109.0 to fastapi@0.109.1 to fix ✗ Regular Expression Denial of Service (ReDoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-FASTAPI-6228055] in fastapi@0.109.0 introduced by fastapi@0.109.0 Organization: liran.tal Package manager: pip Target file: requirements.txt Project name: fastapi-vulnerable-redos-app
要修复该漏洞,您可以升级到已修复该漏洞的 python-multipart 包和 fastapi 的较新版本,这些版本是 Snyk 建议的。
Our first step is to set up a new Python project. We'll need to install FastAPI, along with a server to host it on. Uvicorn is a good choice for a server because it is lightweight and works well with FastAPI.
Start by installing FastAPI, python-multipart, and Uvicorn with pip:
pip install fastapi==0.109.0 uvicorn python-multipart==0.0.6
Next, create a new directory for your project, and inside that directory, create a new file for your FastAPI application. You can call it main.py.
Now we're ready to write our FastAPI application code. Open main.py and add the following Python code:
from typing import Annotated from fastapi.responses import HTMLResponse from fastapi import FastAPI,Form from pydantic import BaseModel class Item(BaseModel): username: str app = FastAPI() @app.get("/", response_class=HTMLResponse) async def index(): return HTMLResponse("Test", status_code=200) @app.post("/submit/") async def submit(username: Annotated[str, Form()]): return {"username": username} @app.post("/submit_json/") async def submit_json(item: Item): return {"username": item.username}
This simple FastAPI application has several routes (/), including /submit, which uses a multipart form. When a POST request is received, the submit route returns the username that was submitted.
With our FastAPI application code written, we can now start the Uvicorn server and run our application.
Use the following command to start the server:
uvicorn main:app --reload
You should see an output indicating that the server is running. You can test your application by navigating to http://localhost:8000 in your web browser. The message "Test" should be displayed on the page.
Now that our FastAPI application is running, we can test it for vulnerabilities. We'll use a ReDoS attack payload in the HTTP request to exploit the vulnerability in the python-multipart package that parses the content-type header value.
If you have the curl program installed, run the following command in your terminal:
curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'
As you saw by now, open source dependencies play a key role in building Python applications. However, these third-party dependencies can sometimes be a breeding ground for vulnerabilities, thus posing significant security threats. In this context, Snyk Open Source emerges as a robust tool that helps developers identify and fix security issues effectively.
Imagine you could quickly find FastAPI security vulnerabilities already in the IDE panel when you write Python code instead of waiting until security scanners pick this up at a later stage.
The Snyk IDE extension is free, and if you’re using PyCharm, you can search for Snyk in the Plugins view and download it directly from there. If you’re using VS Code you can similarly find it in the Extensions marketplace right from the IDE.
Snyk Open Source is a powerful tool used for uncovering and addressing vulnerabilities in open source dependencies and container images. It is designed to integrate easily with the existing codebase and CI/CD systems, making it a handy tool for developers. It provides a comprehensive database of known vulnerabilities, enabling developers to proactively address potential breaches in security.
To scan Python dependencies for vulnerabilities with Snyk, you first need to install the Snyk CLI. You can do this using one of the methods in the guide, or if you have a Node.js environment, you can quickly install Snyk with npm install -g snyk and then run snyk auth to authenticate.
Once installed, you can use the snyk test command to check your Python project for vulnerabilities:
snyk test --all-projects
Snyk will then scan all your dependencies and compare them against its vulnerability database. If any issues are found, Snyk will provide a detailed report with information about the vulnerability, its severity, and possible fixes.
Monitoring your projects with Snyk is crucial to maintain the security of your application. With Snyk, not only can you detect vulnerabilities, but you can also apply automated fixes, which can save you time and resources.
In addition, Snyk offers vulnerability alerts that notify you about new vulnerabilities that may affect your projects. This allows you to stay one step ahead and fix security issues before they can be exploited.
With the snyk monitor command, you can take a snapshot of your current project dependencies and monitor them for vulnerabilities:
snyk monitor
Integrating Snyk with your Git repositories allows you to automatically scan every commit for vulnerabilities. This can be done by adding Snyk as a webhook in your repository settings.
完成此操作后,每次推送到您的存储库都会触发 Snyk 扫描,帮助您尽早捕获并修复漏洞。
总而言之,Snyk Open Source 是维护 Python 项目安全性的宝贵工具。通过扫描漏洞、监控项目以及与 Git 存储库集成,Snyk 使您能够维护强大、安全的代码库。如果您还没有注册一个免费的 Snyk 帐户,请立即开始保护您的应用程序。
以上是拒绝服务正则表达式破坏了 FastAPI 安全性的详细内容。更多信息请关注PHP中文网其他相关文章!