Regex Dos in Gin with Dynamodb
Regex Dos in Gin with Dynamodb — how this specific combination creates or exposes the vulnerability
Regex Denial-of-Service (ReDoS) occurs when a regular expression has overlapping or nested quantifiers on untrusted input, causing catastrophic backtracking. In a Go API built with Gin, if route parameters or query values are used to construct regex patterns that reference external data—such as values stored in or queried from DynamoDB—the risk of ReDoS increases because the input may contain long repetitive strings designed to exploit inefficient expressions.
Consider a Gin handler that validates a path parameter against a regex pattern before using it to query DynamoDB. If the pattern is complex and the input comes from an untrusted source, a malicious request with a carefully crafted payload can force the regex engine to explore an exponential number of paths. Even though DynamoDB itself does not execute regexes, the vulnerability is introduced in Gin code that fetches items and then applies regex filtering in Go code before further processing. For example, fetching an item by a key and then running a costly pattern match on a potentially large attribute can turn a simple lookup into a slow operation that blocks the request context.
The combination is notable because DynamoDB is often used for high-throughput data stores, and Gin services may be scaled to handle many requests. If the regex is applied post-fetch on large or unbounded strings (such as JSON blobs or concatenated fields), an attacker can send inputs that cause long CPU stalls. This does not compromise DynamoDB directly, but it can degrade the responsiveness of the Gin service and increase error rates under load. Real-world patterns include using regexp.Compile on user-influenced strings or building regex from DynamoDB item attributes without normalization or length limits.
To detect such issues, scanning tools analyze Gin routes for regex usage and cross-reference them with data flows that involve DynamoDB calls. They look for expressions with nested quantifiers like (a+)+ or patterns that can expand exponentially on specific inputs. Since Gin applications often mix business logic and validation in handlers, a scanner can identify risky regexes that operate on data retrieved from DynamoDB and flag them before they are deployed.
Dynamodb-Specific Remediation in Gin — concrete code fixes
Remediation focuses on avoiding regex on untrusted or large inputs and constraining data taken from DynamoDB before any pattern matching. Prefer exact key lookups, length limits, and safe validation libraries instead of hand-rolled regex where possible.
Example 1: Safe DynamoDB GetItem with bounded string validation
// Validate early, avoid regex on raw user input.
func GetItemByID(c *gin.Context) {
id := c.Param("id")
// Reject obviously malformed input before any DynamoDB call.
if !regexp.MustCompile(`^[A-Za-z0-9\-_]{1,100}$`).MatchString(id) {
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
return
}
// Safe DynamoDB GetItem using AWS SDK for Go v2.
out, err := client.GetItem(context.TODO(), &dynamodb.GetItemInput{
TableName: aws.String("Items"),
Key: map[string]types.AttributeValue{
"ID": &types.AttributeValueMemberS{Value: id},
},
})
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
if out.Item == nil {
c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
return
}
// Process out.Item safely.
c.JSON(http.StatusOK, out.Item)
}
Example 2: Avoid regex on potentially large attributes
If you must inspect attribute values, bound their size and avoid recursive patterns.
// Fetch item and apply safe checks.
func CheckDescription(c *gin.Context) {
id := c.Param("id")
out, err := client.GetItem(context.TODO(), &dynamodb.GetItemInput{
TableName: aws.String("Items"),
Key: map[string]types.AttributeValue{
"ID": &types.AttributeValueMemberS{Value: id},
},
})
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
desc, ok := out.Item["Description"].(*types.AttributeValueMemberS)
if !ok || desc == nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "missing description"})
return
}
// Limit length to avoid ReDoS on large text.
if len(desc.Value) > 10000 {
c.JSON(http.StatusBadRequest, gin.H{"error": "description too long"})
return
}
// Use a simple, non-backtracking check instead of complex regex.
if strings.Contains(desc.Value, "blocked") {
c.JSON(http.StatusForbidden, gin.H{"error": "description not allowed"})
return
}
c.JSON(http.StatusOK, gin.H{"status": "ok"})
}
General guidelines
- Validate input with simple length and character class checks before DynamoDB operations.
- Avoid building regex patterns from DynamoDB data; if necessary, precompile with
regexp.Compileat init time and enforce strict pattern constraints. - Use bounded iteration and prefer non-backtracking matchers for common tasks (e.g.,
strings.Contains,strconvparsing). - Set reasonable timeouts on Gin handlers to mitigate lingering CPU usage from pathological inputs.
Related CWEs: inputValidation
| CWE ID | Name | Severity |
|---|---|---|
| CWE-20 | Improper Input Validation | HIGH |
| CWE-22 | Path Traversal | HIGH |
| CWE-74 | Injection | CRITICAL |
| CWE-77 | Command Injection | CRITICAL |
| CWE-78 | OS Command Injection | CRITICAL |
| CWE-79 | Cross-site Scripting (XSS) | HIGH |
| CWE-89 | SQL Injection | CRITICAL |
| CWE-90 | LDAP Injection | HIGH |
| CWE-91 | XML Injection | HIGH |
| CWE-94 | Code Injection | CRITICAL |