Tir is vulnerable to a hash collision DOS attack.

Question

Tir is vulnerable to a hash collision DOS attack.

Opened this issue 13 years ago · 1 comments

In its current form, Tir is vulnerable to the attack described here.

Lua strings are interned. The predictability of the hashing algorithm allows to flood it with strings designed to produced collisions, which can slow down the server. You can take a server down a single client using this technique.

Since the url_parse and its POST equivalent parse everything, Tir is vulnerable to these attacks.

A solution would be to pass a table with the keys to extract from the request.

Answer 1 · 2012-01-16T14:32:44.000Z

Here's a lpeg-based solution. It could easily be extended to URL-decode the text on the fly.

This is for GET requests. A similar solution could be writtten for POST.

require'lpeg'

local      C,      Cg,      Cmt,      Ct,      l,             P
    = lpeg.C, lpeg.Cg, lpeg.Cmt, lpeg.Ct, lpeg.locale(), lpeg.P

local end_value = P(-1)+"&"

local function Not (pat) return P(1) - pat end

local other_arg = l.alnum^1 * '=' * Not(end_value)^0 * end_value


function new_GET_args_parser (tbl) 
-- builds a custom lpeg pattern for the keys given. 
-- It may be possible to write a generic version and pass it params,
-- but I don't knoz how.
  local already_found, args

  for _,k in pairs(tbl) do
    local key = Cmt( C( P(k) ) * "=", function( _, _, k )
      assert( not already_found[k], 'Aaaargh' )
      already_found[k] = true
      -- print('key', k)
      return true
    end)
    local value = Cg( Not(end_value)^0, k) * end_value
    args = args and args+ key*value or key*value
  end
  args = args + other_arg
  return Cmt(P'', function() 
    already_found = {} return true -- allows to reuse the parser
  end) * Ct(args^0)
end

args_parser = new_GET_args_parser{'login', 'password'}

params = args_parser:match'login=Foo&password=Bar&other=ignored'
--> {login='Foo', password='Bar'}

extracter2 = new_GET_args_parser{'same'}
success, msg = pcall(lpeg.match, extracter2, 'same=key&same=well-tried')
--> false, Aaaaarghh


--[[----------------------------------------------------------------------------
             The Romantic WTF public license.
             --------------------------------
             a.k.a. version "<3" or simply v3




     Dear Zed,


     this short piece of code

                                      \ 
                                       '.,__
                                    \  /
                                     '/,__
                                     /
                                    /
                                   /
                has been          / released
           - - - - - - - -       - - - - - - - - 
         under  the  Romantic   WTF Public License.
        - - - - - - - - - - -',' - - - - - - - - - - 
        I hereby grant you an irrevocable license to
         - - - - - - - - - - - - - - - - - - - - -
           do what the gentle caress you want to
                - - - - - - - - - - - - - - -  
                    with   this   little
                       - - - - - - - - 
                        / snippet.
                       /  - - - -
                      /    Love,
                #    /       -
                ##  /  ##    ,
                #######     
                #####
                ###
                #




     -- Pierre-Yves.




]]------------------------------------------------------------------------------