You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
allowRegexes: arbitrary regexes are a well known DoS vector. While specifying the regular expression features #50 tries to tackle the (ambitious) goal of defining a regex subset that would ensure runtime characteristics, an effective solution is to completely disallow regex computation.
The haskell impl mitigates a lot of the regex issue with how the timeout is implemented (verification is forked to another green thread), but the rust implementation has a blocking verification, so a redos would not be prevented by the timeout feature.
allowBlockFacts: Attenuating a biscuit with anything other than checks is inherently complex and error-prone, the #authority / #ambient restriction can be hard to understand (and was indeed the source of a security issue). A solution is to completely prevent blocks from defining facts or rules. A better solution would be to store this info in the token itself, but as a first step, having a simple way to forbid it in the verification phase should be enough.
The text was updated successfully, but these errors were encountered:
Following discussions in #50 and #56, i've added extra (configurable) limitations to the haskell implementation: https://hackage.haskell.org/package/biscuit-haskell-0.1.0.0/docs/Auth-Biscuit-Datalog-Executor.html#t:Limits
allowRegexes
: arbitrary regexes are a well known DoS vector. While specifying the regular expression features #50 tries to tackle the (ambitious) goal of defining a regex subset that would ensure runtime characteristics, an effective solution is to completely disallow regex computation.The haskell impl mitigates a lot of the regex issue with how the timeout is implemented (verification is forked to another green thread), but the rust implementation has a blocking verification, so a redos would not be prevented by the timeout feature.
allowBlockFacts
: Attenuating a biscuit with anything other than checks is inherently complex and error-prone, the#authority
/#ambient
restriction can be hard to understand (and was indeed the source of a security issue). A solution is to completely prevent blocks from defining facts or rules. A better solution would be to store this info in the token itself, but as a first step, having a simple way to forbid it in the verification phase should be enough.The text was updated successfully, but these errors were encountered: