A denial of service Regex breaks FastAPI security

SnykSec - Aug 1 - - Dev Community

Welcome, fellow developers! In this blog post, we are going to delve deep into the world of application security, specifically focusing on a vulnerability that can deteriorate FastAPI security: Denial of service (DoS) caused by insecure regular expressions (regex). We'll explore how a poorly constructed regex can lead to what is known as regular expression denial of service (ReDoS), a form of DoS attack, and how these vulnerabilities can be identified and mitigated using a powerful developer security tool — Snyk.

Understanding ReDoS impact on FastAPI security in Python

Python, one of the most popular programming languages, has a vast ecosystem of packages and libraries. While these packages make our lives easier as developers, they also pose a potential risk if not properly secured. With the rapid pace of software development, packages are often updated and new versions are released, sometimes unknowingly introducing security risks.

One such risk is the potential for a ReDoS attack, a form of DoS attack in which an attacker provides malicious input to a regular expression that takes a very long time to evaluate. This causes the application to become unresponsive or slow down significantly, which can have serious implications, from a degraded user experience to complete application failure.

import re
pattern = re.compile("^(a+)+$")
def check(input):
    return bool(pattern.match(input))
check("a" * 3000 + "!")
Enter fullscreen mode Exit fullscreen mode

In the above code, the regular expression ^(a+)+$ is vulnerable to a ReDoS attack. If an attacker provides a string of 'a's followed by a non-'a' character, the regex takes a very long time to evaluate, effectively causing a DoS.

How Snyk can protect your FastAPI Python applications

Snyk is a developer-first security tool that can scan your Python code for potential ReDoS vulnerabilities. It provides detailed reports of the identified vulnerabilities and recommends the most suitable fixes.

# After installing Snyk and setting up the Snyk CLI
# you can scan your project:
$ snyk test 
Enter fullscreen mode Exit fullscreen mode

This command will scan your third-party dependency manifest, usually at requirements.txt file, and provide a report of all identified vulnerabilities, including potential ReDoS vulnerabilities. Sign up for a free Snyk account to start scanning your Python projects for ReDoS and other vulnerabilities today.

Understanding the impact of such vulnerabilities and how to mitigate them is critical to maintaining a secure Python application. This is where tools like Snyk come in handy. Snyk Open Source can help identify and fix security vulnerabilities in Python packages, including insecure regular expressions that can lead to a ReDoS attack.

Let's take a closer look at how to identify and mitigate such vulnerabilities in FastAPI Python web applications using Snyk.

FastAPI security vulnerability with CVE-2024-24762

FastAPI is a modern, high-performance web framework for building APIs with Python based on standard Python-type hints. Its key features are its speed and its ability to quickly and effortlessly build robust APIs, making it a popular choice for Python developers who need to build high-performance RESTful APIs.

FastAPI simplifies the process of building APIs by providing a routing mechanism, serialization/deserialization, and validation out of the box. It is built on top of Python projects Starlette for the web parts and Pydantic for the data parts. This allows developers to take advantage of the asynchronous features that are available in Python 3.6 and up.

As an example, creating a simple API with a FastAPI Python web application can be accomplished with the following code snippet:

from fastapi import FastAPI
app = FastAPI()
@app.get("/")
def read_root():
    return {"Hello": "World"}
Enter fullscreen mode Exit fullscreen mode

While FastAPI is a robust and agile tool for developing APIs, it is not devoid of vulnerabilities. One of these is the vulnerability to CVE-2024-24762. This is a denial-of-service vulnerability that originates in the regex used by the Python package python-multipart.

The python-multipart dependency is a Python library for parsing multipart/form data. It is commonly used as a dependency in FastAPI to manage form data.

The vulnerability occurs when an attacker sends a malicious string that causes the regular expression in python-multipart to consume high amounts of CPU, leading to a denial of service (DoS). This is also known as a regular expression denial of service (ReDoS).

How would a Python developer mitigate this vulnerability? The first step is to identify the vulnerability in your project. This can be done using the Snyk CLI tool.

$ snyk test
Enter fullscreen mode Exit fullscreen mode

Detecting vulnerabilities such as this requires scanning your project's dependencies, which will provide a report of all vulnerabilities in your project's dependencies.

The output of the Snyk test command finds the vulnerability:

snyk test

Testing /Users/lirantal/projects/repos/fastapi-vulnerable-redos-app...

Tested 13 dependencies for known issues, found 1 issue, 1 vulnerable path.

Issues to fix by upgrading dependencies:

  Upgrade fastapi@0.109.0 to fastapi@0.109.1 to fix
  ✗ Regular Expression Denial of Service (ReDoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-FASTAPI-6228055] in fastapi@0.109.0
    introduced by fastapi@0.109.0

Organization:      liran.tal
Package manager:   pip
Target file:       requirements.txt
Project name:      fastapi-vulnerable-redos-app
Enter fullscreen mode Exit fullscreen mode

To fix the vulnerability, you can upgrade to newer versions of the python-multipart package and of fastapi that have fixed the vulnerability, and these versions are suggested by Snyk.

Building and breaking FastAPI security: A step-by-step guide

Our first step is to set up a new Python project. We'll need to install FastAPI, along with a server to host it on. Uvicorn is a good choice for a server because it is lightweight and works well with FastAPI.

Start by installing FastAPI, python-multipart, and Uvicorn with pip:

pip install fastapi==0.109.0 uvicorn python-multipart==0.0.6
Enter fullscreen mode Exit fullscreen mode

Next, create a new directory for your project, and inside that directory, create a new file for your FastAPI application. You can call it main.py.

Writing the FastAPI Python code

Now we're ready to write our FastAPI application code. Open main.py and add the following Python code:

from typing import Annotated
from fastapi.responses import HTMLResponse
from fastapi import FastAPI,Form
from pydantic import BaseModel

class Item(BaseModel):
    username: str

app = FastAPI()

@app.get("/", response_class=HTMLResponse)
async def index():
    return HTMLResponse("Test", status_code=200)

@app.post("/submit/")
async def submit(username: Annotated[str, Form()]):
    return {"username": username}

@app.post("/submit_json/")
async def submit_json(item: Item):
    return {"username": item.username}
Enter fullscreen mode Exit fullscreen mode

This simple FastAPI application has several routes (/), including /submit, which uses a multipart form. When a POST request is received, the submit route returns the username that was submitted.

Starting the server and running the application

With our FastAPI application code written, we can now start the Uvicorn server and run our application.

Use the following command to start the server:

uvicorn main:app --reload
Enter fullscreen mode Exit fullscreen mode

You should see an output indicating that the server is running. You can test your application by navigating to http://localhost:8000 in your web browser. The message "Test" should be displayed on the page.

Breaking FastAPI security with a ReDoS attack

Now that our FastAPI application is running, we can test it for vulnerabilities. We'll use a ReDoS attack payload in the HTTP request to exploit the vulnerability in the python-multipart package that parses the content-type header value.

If you have the curl program installed, run the following command in your terminal:

curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'
Enter fullscreen mode Exit fullscreen mode

Securing your FastAPI application with Snyk

As you saw by now, open source dependencies play a key role in building Python applications. However, these third-party dependencies can sometimes be a breeding ground for vulnerabilities, thus posing significant security threats. In this context, Snyk Open Source emerges as a robust tool that helps developers identify and fix security issues effectively.

Imagine you could quickly find FastAPI security vulnerabilities already in the IDE panel when you write Python code instead of waiting until security scanners pick this up at a later stage.

The Snyk IDE extension is free, and if you’re using PyCharm, you can search for Snyk in the Plugins view and download it directly from there. If you’re using VS Code you can similarly find it in the Extensions marketplace right from the IDE.

Introduction to Snyk Open Source and its capabilities

Snyk Open Source is a powerful tool used for uncovering and addressing vulnerabilities in open source dependencies and container images. It is designed to integrate easily with the existing codebase and CI/CD systems, making it a handy tool for developers. It provides a comprehensive database of known vulnerabilities, enabling developers to proactively address potential breaches in security.

Step-by-step guide on how to scan Python dependencies for vulnerabilities with Snyk

To scan Python dependencies for vulnerabilities with Snyk, you first need to install the Snyk CLI. You can do this using one of the methods in the guide, or if you have a Node.js environment, you can quickly install Snyk with npm install -g snyk and then run snyk auth to authenticate.

Once installed, you can use the snyk test command to check your Python project for vulnerabilities:

snyk test --all-projects
Enter fullscreen mode Exit fullscreen mode

Snyk will then scan all your dependencies and compare them against its vulnerability database. If any issues are found, Snyk will provide a detailed report with information about the vulnerability, its severity, and possible fixes.

Monitoring your projects with Snyk is crucial to maintain the security of your application. With Snyk, not only can you detect vulnerabilities, but you can also apply automated fixes, which can save you time and resources.

In addition, Snyk offers vulnerability alerts that notify you about new vulnerabilities that may affect your projects. This allows you to stay one step ahead and fix security issues before they can be exploited.

With the snyk monitor command, you can take a snapshot of your current project dependencies and monitor them for vulnerabilities:

snyk monitor
Enter fullscreen mode Exit fullscreen mode

How to integrate Snyk with Git repositories

Integrating Snyk with your Git repositories allows you to automatically scan every commit for vulnerabilities. This can be done by adding Snyk as a webhook in your repository settings.


Once this is done, each push to your repository will trigger a Snyk scan, helping you catch and fix vulnerabilities as early as possible.

To conclude, Snyk Open Source is a valuable tool for maintaining the security of your Python projects. By scanning for vulnerabilities, monitoring your projects, and integrating with your Git repositories, Snyk enables you to maintain a robust, secure codebase. If you haven't already, sign up for a free Snyk account and start securing your applications today.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .