Regex Dos in Cockroachdb

Regular expression denial of service (ReDoS) attacks exploit catastrophic backtracking in regex engines, causing exponential time complexity that can crash or severely degrade database performance. In Cockroachdb, ReDoS vulnerabilities manifest through several specific attack vectors that target the database's query processing and filtering mechanisms.

The most common manifestation occurs in WHERE clauses using regex operators like ~, ~*, !~, and !~*. Attackers can craft malicious patterns that cause the regex engine to enter catastrophic backtracking scenarios. For example, a pattern like (a+)+b with input data containing long sequences of 'a' characters can cause exponential backtracking as the engine tries every possible way to match the pattern.

Cockroachdb's SQL engine processes these regex operations in the query execution layer, where they're evaluated for each row that passes through the filter. When a ReDoS pattern is encountered, the database must process the entire dataset, potentially causing timeouts or complete service degradation. This becomes particularly dangerous in production environments where queries might process millions of rows.

Another specific vector involves JSON and array filtering operations. Cockroachdb supports JSON path expressions with regex capabilities, and attackers can exploit similar patterns in JSON filtering operations. For instance, using regex patterns in jsonb_path_query or array filtering can trigger the same catastrophic backtracking behavior.

The impact is compounded by Cockroachdb's distributed architecture. While the database is designed to handle distributed queries efficiently, ReDoS attacks can cause resource exhaustion across multiple nodes as the query processing is distributed. This means a single malicious query can consume resources across your entire cluster, affecting all databases and applications.