http-api-data icon indicating copy to clipboard operation
http-api-data copied to clipboard
verified publisher icon fizruk

FormUrlEncoded is vulnerable to HashDOS attacks.

Open NorfairKing opened this issue 4 years ago • 1 comments

  • This type uses a HashMap: https://hackage.haskell.org/package/http-api-data-0.4.3/docs/Web-FormUrlEncoded.html#t:Form

  • The package in which HashMap is defined: Unordered containers specifically mentions: "This package currently provides no defenses against hash collision attacks such as HashDoS. Users who need to store input from untrusted sources are advised to use Data.Map or Data.Set from the containers package instead."

  • As a result, Anyone who uses any of these functions is vulnerable:

    • https://hackage.haskell.org/package/http-api-data-0.4.3/docs/Web-FormUrlEncoded.html#v:urlDecodeForm
    • https://hackage.haskell.org/package/http-api-data-0.4.3/docs/Web-FormUrlEncoded.html#v:urlDecodeAsForm

    This includes a bunch of packages, including servant, see

    • https://hackage-search.serokell.io/?q=urlDecodeForm
    • https://hackage-search.serokell.io/?q=urlDecodeAsForm

  • More details about a similar issue here: https://cs-syd.eu/posts/2021-09-11-json-vulnerability

    Proposed fix: Use Map instead of HashMap.

NorfairKing avatar Nov 20 '21 00:11 NorfairKing

CC @ocharles and @tomjaguarpaw

NorfairKing avatar Nov 20 '21 00:11 NorfairKing