Regex Dos in Chi with Mutual Tls

Regex Denial of Service (ReDoS) in Chi combined with Mutual TLS creates a unique risk profile because the security boundary is enforced at the transport layer while the application layer remains susceptible to inefficient patterns. Mutual TLS ensures that only clients with valid certificates can reach your Chi routes, but it does not protect the request-processing logic once the connection is established.

In Chi, route definitions often use pattern matchers that rely on regular expressions, either directly through custom matchers or indirectly via path parameters that are validated with user-supplied regexes. If a route uses a non-optimized regex to validate paths or query parameters, an attacker who has established a mutually authenticated TLS session can send crafted inputs that cause catastrophic backtracking. Because Mutual TLS verifies the client identity, the request is processed with higher trust, which may lead developers to skip additional input sanitization, inadvertently increasing the impact of a single malicious payload.

Consider a Chi route that matches user-controlled identifiers using a permissive pattern:

;; Potentially vulnerable route with a loose regex pattern
(def route
  (ring/compile-routes
    [{:path "/files/*id"
      :method :get
      :handler (fn [request]
                 (let [id (get-in request [:path-params :id])]
                   (if (re-matches #".*[a-zA-Z0-9_]+.*" id)
                     {:status 200 :body (str "File: " id)}
                     {:status 400 :body "Invalid"}})))}]))

The regex . *[a-zA-Z0-9_]+.* is vulnerable to exponential time complexity when presented with specific long strings containing many repeated characters. Even with Mutual TLS in place, an authenticated client can trigger ReDoS by sending a carefully constructed path such as /files/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!. The TLS session establishes that the client is trusted, but the server spends disproportionate CPU cycles evaluating the pattern, leading to resource exhaustion and degraded service for all requests.

Chi applications that dynamically construct or load regexes from configuration or user input are at higher risk. For example, if an admin endpoint allows updating validation rules via a spec that includes regex strings, an attacker with a valid certificate could inject a malicious pattern that affects the entire service. This is especially dangerous when the same regex is reused across multiple routes or when input validation is deferred to downstream handlers.

The combination of Mutual TLS and Regex Dos highlights the need to treat authenticated requests as a vector for resource exhaustion, not just as authorized access. Transport-layer security does not mitigate application-level complexity issues. Attackers who obtain valid certificates—through compromise, misconfiguration, or overly permissive issuance policies—gain an efficient channel to exploit inefficient patterns without facing network-level filtering.

To detect this risk in practice, scans analyze route definitions and runtime behavior for patterns known to exhibit pathological backtracking. Findings are mapped to the OWASP API Top 10 and reference real-world CVEs that demonstrate the impact of ReDoS in routing libraries. Remediation focuses on eliminating exponential-time constructs and ensuring validation logic remains deterministic regardless of input size.

Remediation for Regex Dos in a Mutual TLS environment centers on hardening route matchers and validation logic without relying on the transport layer to sanitize input. Even with client certificates verified, every path parameter and query string must be treated as untrusted.

First, avoid regex-based matchers for user-controlled segments. Use Chi’s built-in path parameter parsing and strict type conversion instead:

;; Safe route using numeric ID parsing
(def route
  (ring/compile-routes
    [{:path "/files/:id"
      :method :get
      :handler (fn [request]
                 (try
                   (let [id (Long/parseLong (str (:path-params request :id)))]
                     {:status 200 :body (str "File: " id)})
                   (catch NumberFormatException _
                     {:status 400 :body "Invalid ID"}})))}]))

When regex validation is necessary, prefer simple, linear patterns and avoid nested quantifiers. For example, replace complex character class loops with explicit length checks or character whitelisting using functions rather than regex:

;; Linear validation without backtracking-prone regex
(defn valid-id? [s]
  (and (string? s)
       (<= (count s) 32)
       (every? #(Character/isLetterOrDigit ^char %) s)))

(def secure-route
  (ring/compile-routes
    [{:path "/files/*id"
      :method :get
      :handler (fn [request]
                 (let [id (str (get-in request [:path-params :id]))]
                   (if (valid-id? id)
                     {:status 200 :body (str "File: " id)}
                     {:status 400 :body "Invalid"}})))}]))

For applications that must accept dynamic regexes (e.g., admin configuration panels), enforce strict limits on pattern complexity. Reject patterns containing nested quantifiers, ambiguous repetitions, or lookaheads that can cause exponential behavior. Combine this requirement with Mutual TLS client certificate checks to ensure only authorized administrators can modify validation rules:

;; Admin route protected by Mutual TLS with strict regex policy
(def admin-route
  (ring/compile-routes
    [{:path "/admin/regex"
      :method :post
      :tls-required true
      :handler (fn [request]
                 (let [pattern (str (:body request))]
                   (if (and (admin-certificate? request)
                            (safe-regex? pattern))
                     (do (store-pattern! pattern)
                         {:status 200 :body "Updated"})
                     {:status 403 :body "Forbidden"}})))}]))

In all cases, continuous monitoring through scans that include LLM security checks helps identify accidental leakage of sensitive patterns or inefficient constructs. The Pro plan supports configurable scanning schedules and CI/CD integration, allowing you to fail builds when risky regex patterns are detected in configuration or route definitions.