Regex Dos in Chi with Jwt Tokens

A Regular Expression Denial of Service (Regex DoS) occurs when an attacker provides input that causes a regular expression engine to exhibit catastrophic backtracking, consuming excessive CPU time. In Chi, a common Haskell web framework, regex patterns used for route matching or token validation can become vulnerable when applied to untrusted input such as JWT tokens. JWT tokens are typically base64url-encoded strings that contain structured but user-controlled data. If a developer uses a complex, nested, or overly permissive regex to parse or validate parts of a JWT (such as the header or payload segments), an attacker can craft a token designed to maximize backtracking.

For example, consider a route definition that attempts to match a JWT token using a pattern with overlapping quantifiers, such as (a+)+ applied to a token segment. A malicious input like a long string of a characters can cause the regex engine to explore an exponential number of paths. Although Chi does not include a built-in regex parser for JWTs, if application-level code or middleware uses such patterns to validate tokens—perhaps to enforce format constraints or extract claims—the unauthenticated attack surface becomes exposed. Because middleBrick scans the unauthenticated attack surface and includes checks for Input Validation, it can detect endpoints where regex-based token handling is present and flag potential DoS risks.

The interaction between Chi routing and JWT token formats can inadvertently amplify these risks. JWTs consist of three dot-separated segments (header, payload, signature). If a developer writes a Chi route using a regex that does not enforce strict boundaries—for instance, using .* or ambiguous repetitions across the dot separators—the regex may attempt to match across segment boundaries in pathological ways. This can lead to long processing times when scanning tokens that are large or specially crafted. middleBrick’s Input Validation checks are designed to identify such risky patterns by correlating runtime behavior with OpenAPI/Swagger specifications and flagging endpoints where token handling lacks clear constraints.

Moreover, because Chi applications often rely on middleware for token validation, a regex DoS can be triggered before proper authentication checks occur. This means an attacker can force server-side resource exhaustion without needing valid credentials. The vulnerability is not in JWT itself but in how regex patterns are constructed and applied to token-like inputs. middleBrick’s unauthenticated scanning helps surface these patterns by testing endpoint behavior with varied token structures and monitoring for signs of excessive processing or irregular response behavior.

To contextualize the risk, consider how middleBrick’s 12 security checks operate in parallel. The Input Validation check, combined with rate limiting and data exposure assessments, can highlight endpoints where JWT token handling might be susceptible to abuse. While Chi does not inherently introduce regex flaws, the framework’s flexibility in defining routes means developers must ensure that any regex used for token parsing is non-backtracking and bounded. middleBrick supports this by providing per-category breakdowns and prioritized findings with remediation guidance, enabling teams to address specific weaknesses in token validation logic.

Remediation focuses on avoiding complex or ambiguous regular expressions when handling JWT tokens in Chi routes and middleware. Instead of writing custom regex for token parsing, use structured token libraries and strict pattern constraints. Below are concrete code examples demonstrating safe approaches in Chi, using the jwt library for token validation and avoiding problematic regex patterns.

Example 1: Safe JWT validation without regex

Use a dedicated JWT library to decode and verify tokens. This avoids regex entirely and ensures proper structural validation.

import JWT from "jwt"
import type { Handler} from "@/types"

export let validateToken: Handler = async (req, res, next) ->
  let token = req.headers["authorization"]?.split("Bearer ")[1]
  if not token
    res.status = 401
    res.json({ error: "Missing token" })
    return
  try
    let decoded = JWT.verify token, process.env.JWT_SECRET
    req.context.user = decoded
    next()
  catch err
    res.status = 401
    res.json({ error: "Invalid token" })

Example 2: Route definition using exact path parameters

Define routes with precise path segments instead of regex-based matching. This ensures tokens are treated as opaque strings and not parsed with fragile patterns.

import { router, get, post } from "@pkg/router"
import { validateToken } from "./middleware"

router
  .get("/api/secure", validateToken, (req, res) ->
    res.json({ message: "Authenticated access" })
  )
  .post("/api/secure/data", validateToken, (req, res) ->
    let body = req.body
    res.json({ received: body })
  )

export default router

Example 3: Avoiding regex in custom token parsing

If token parsing is necessary, use string operations rather than regex. For example, splitting by dot and validating segment structure without backtracking-prone patterns.

let token = "header.payload.signature"
let parts = token.split(".")
if parts.length != 3
  throw new Error("Invalid JWT format")
let header = JSON.parse(atob(parts[0]))
let payload = JSON.parse(atob(parts[1]))
// Proceed with validation

Example 4: Enforcing strict token format in OpenAPI spec

Define the expected JWT format in your OpenAPI/Swagger specification to guide validation and reduce reliance on runtime regex checks.

paths:
  /api/secure:
    get:
      summary: Secure endpoint
      security:
        bearerAuth: []
      responses:
        '200':
          description: OK
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

These examples emphasize deterministic, non-backtracking validation strategies. By relying on established libraries and avoiding ambiguous regex patterns, developers can mitigate Regex DoS risks while maintaining compatibility with JWT standards. middleBrick’s Pro plan supports continuous monitoring for such issues, enabling teams to detect risky patterns across multiple endpoints and integrate scans into CI/CD pipelines via the GitHub Action.