Regex Dos in Echo Go with Dynamodb
Regex Dos in Echo Go with Dynamodb — how this specific combination creates or exposes the vulnerability
A Regular Expression Denial of Service (Regex DoS) occurs when an attacker provides input that causes a poorly designed regular expression to consume excessive CPU time, leading to high latency or service unresponsiveness. In Echo Go, if user-controlled input such as query parameters or path segments is directly used to construct or influence regex patterns—especially when those patterns are combined with Amazon DynamoDB request validation or filtering logic—the application can become vulnerable.
When integrating with DynamoDB, developers sometimes use regex to validate or parse attribute values (e.g., filtering string-based keys or validating identifiers) before forming requests like GetItem or Query. If the regex is inefficient—containing nested quantifiers or ambiguous repetition—and the input is attacker-controlled, a single crafted request can trigger catastrophic backtracking. Because DynamoDB operations are often invoked per request in API handlers, this can cause the Echo Go service to block processing other requests, effectively creating a denial-of-service vector at the application layer.
The combination is risky when regex is applied to high-cardinality DynamoDB attribute values (e.g., partition keys or sort keys) without length or complexity limits. For example, using a pattern like (a+)+ to validate a string attribute that backs a DynamoDB table can be exploited by sending long sequences of a characters. In an Echo Go route that directly passes this input into a regex check before calling DynamoDB, the CPU time spent in regex evaluation grows exponentially with input size, while the database call may remain pending, compounding resource exhaustion.
Because middleBrick scans unauthenticated attack surfaces and includes input validation checks among its 12 parallel security checks, it can detect indicators of inefficient regex usage in API request handling paths that involve DynamoDB. While middleBrick does not fix these issues, its findings highlight the need to avoid embedding untrusted input in regex patterns and to enforce strict input constraints before DynamoDB operations.
Dynamodb-Specific Remediation in Echo Go — concrete code fixes
To prevent Regex DoS in Echo Go when working with DynamoDB, avoid using regex on untrusted input, or ensure patterns are safe and input is strictly bounded. Prefer using dedicated validation libraries or simple string checks instead of complex regex where possible. When regex is necessary, use atomic groups or possessive quantifiers (if supported by the regex engine), and always set explicit length limits on input strings.
Below are concrete examples showing insecure and secure patterns in an Echo Go handler that interacts with DynamoDB using the AWS SDK for Go v2.
// Insecure: regex with nested quantifiers on user input before DynamoDB call
package main
import (
"github.com/labstack/echo/v4"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
"regexp"
)
func getItemHandler(c echo.Context) error {
id := c.Param("id")
// Dangerous: user input used directly in regex
matched, _ := regexp.MatchString(`(a+)+`, id)
if matched {
// Proceed to DynamoDB call
_, err := svc.GetItem(c.Request().Context(), &dynamodb.GetItemInput{
TableName: aws.String("Items"),
Key: map[string]types.AttributeValue{
"ID": &types.AttributeValueMemberS{Value: id},
},
})
if err != nil {
return echo.NewHTTPError(500)
}
}
return c.NoContent(400)
}
The above pattern is vulnerable to Regex DoS because the regex (a+)+ can cause catastrophic backtracking on long strings of a. An attacker can send a crafted request that stalls the handler, indirectly impacting DynamoDB request throughput.
// Secure: bounded validation without nested quantifiers, then safe DynamoDB call
package main
import (
"github.com/labstack/echo/v4"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
"unicode"
)
func isValidID(id string) bool {
if len(id) < 1 || len(id) > 64 {
return false
}
for _, r := range id {
if !unicode.IsLetter(r) && !unicode.IsDigit(r) {
return false
}
}
return true
}
func getItemHandler(c echo.Context) error {
id := c.Param("id")
// Safe: simple character and length checks
if !isValidID(id) {
return echo.NewHTTPError(400, "invalid id")
}
_, err := svc.GetItem(c.Request().Context(), &dynamodb.GetItemInput{
TableName: aws.String("Items"),
Key: map[string]types.AttributeValue{
"ID": &types.AttributeValueMemberS{Value: id},
},
})
if err != nil {
return echo.NewHTTPError(500)
}
return c.JSON(200, map[string]string{"id": id})
}
In the secure version, input validation is performed using simple loops and length bounds, eliminating the risk of catastrophic backtracking. The DynamoDB call proceeds only after the input is confirmed safe, reducing the likelihood of resource exhaustion. This approach aligns with input validation checks that middleBrick reports as part of its security assessment, emphasizing the importance of validating data before using it in database operations.
Additionally, consider using prepared patterns compiled at startup if regex is unavoidable, and ensure that any regex applied to DynamoDB-related strings is tested against edge cases such as long repetitions, special characters, and empty strings.
Related CWEs: inputValidation
| CWE ID | Name | Severity |
|---|---|---|
| CWE-20 | Improper Input Validation | HIGH |
| CWE-22 | Path Traversal | HIGH |
| CWE-74 | Injection | CRITICAL |
| CWE-77 | Command Injection | CRITICAL |
| CWE-78 | OS Command Injection | CRITICAL |
| CWE-79 | Cross-site Scripting (XSS) | HIGH |
| CWE-89 | SQL Injection | CRITICAL |
| CWE-90 | LDAP Injection | HIGH |
| CWE-91 | XML Injection | HIGH |
| CWE-94 | Code Injection | CRITICAL |