Regex Dos in Feathersjs with Hmac Signatures

Regular expression denial-of-service (Regex Dos) occurs when an attacker provides input that causes a regex engine to exhibit catastrophic backtracking. In FeathersJS, this risk is compounded when Hmac Signatures are used for request authentication. FeathersJS applications often parse query or body parameters to validate Hmac Signatures, and if those parameters are processed by vulnerable regular expressions, an attacker can send crafted inputs that make signature verification extremely slow or hang the event loop.

The vulnerability emerges at the intersection of three elements: user-controlled data entering regex patterns, the use of Hmac Signatures for integrity checks, and the way FeathersJS hooks and services are structured. For example, a developer might use a regex to extract or validate parts of a query string before computing the Hmac. If the regex is not carefully constrained, an attacker can supply strings that cause exponential backtracking, delaying or blocking legitimate requests. Because Hmac Signatures are typically verified early in the request lifecycle, a malicious payload can impact availability before any business logic runs.

Consider a FeathersJS service that expects an id parameter formatted as user-{number}. A naive regex like ^user-(\d+)$ may appear safe, but if combined with complex alternations or nested quantifiers across multiple hooks, the pattern can still become problematic when applied to attacker-controlled strings. In a typical authentication flow, the Hmac is computed over selected parameters; if those parameters are fed into a complex regex for normalization or validation, the computational cost can be disproportionate to the expected work, leading to denial of service.

Real-world impact includes degraded responsiveness or unavailability of the API endpoint protected by Hmac Signatures, which can be exploited to perform resource exhaustion without needing authentication. Because middleBrick scans the unauthenticated attack surface, such issues can be detected during automated testing of the endpoint’s behavior with crafted inputs designed to trigger pathological regex performance.

Remediation focuses on avoiding complex or unbounded regular expressions on attacker-controlled input and ensuring Hmac verification remains lightweight and predictable. Use simple, linear parsing for extracting identifiers and validate structure with strict character checks rather than backtracking-heavy patterns.

Instead of a complex regex, prefer string operations or safe parsing for Hmac-related parameters. For example, if your Hmac is computed over a query parameter like userId, validate it with straightforward checks rather than a regex that could backtrack.

// Unsafe: regex with potential for catastrophic backtracking
const userIdMatch = req.query.userId.match(/^user-(?:[a-zA-Z0-9]+)*$/);
if (userIdMatch) {
  const userId = userIdMatch[1];
  const expected = crypto.createHmac('sha256', secret).update(userId).digest('hex');
  if (constantTimingEqual(expected, req.query.hmac)) {
    // proceed
  }
}

// Safe: use string operations and strict validation
const userId = req.query.userId;
if (typeof userId === 'string' && userId.startsWith('user-') && /^[\d]+$/.test(userId.slice(5))) {
  const expected = crypto.createHmac('sha256', secret).update(userId).digest('hex');
  if (constantTimingEqual(expected, req.query.hmac)) {
    // proceed
  }
}

When using Hmac Signatures across multiple parameters, compute the signature over a canonical, serialized string that excludes untrusted or dynamically formatted inputs that could introduce variability and parsing complexity. Ensure that the serialization logic does not rely on regex-based splitting or trimming.

// Example of safe Hmac computation using a canonical string
const params = ['userId', 'action', 'timestamp'];
const canonical = params.map(p => `${p}=${encodeURIComponent(req.query[p] || '')}`).join('&');
const hmac = crypto.createHmac('sha256', secret).update(canonical).digest('hex');
if (constantTimingEqual(hmac, req.query.signature)) {
  // proceed with request
}

Additionally, apply rate limiting and request size constraints at the framework or infrastructure level to reduce the impact of potential abuse. The Pro plan of middleBrick includes continuous monitoring that can help detect irregular request patterns targeting Hmac verification endpoints.