Prevent ReDoS in SSTI validation patterns

[shoummu1]

🐛 Bug-fix PR

📌 Summary

Fixes ReDoS (Regular Expression Denial of Service) vulnerability in Server-Side Template Injection (SSTI) validation patterns that could allow attackers to cause CPU exhaustion and service timeouts through crafted input.

🔗 Related Issue

Closes #2366

🔁 Reproduction Steps

The vulnerability could be triggered by:

1. Submitting malformed template input like {{aaaa...aaaa (unclosed brackets) to any validation endpoint
2. Input length up to 64KB (MAX_TEMPLATE_LENGTH = 65536) would cause catastrophic backtracking
3. Results in O(n²) or worse time complexity, causing high CPU usage and request timeouts

🐞 Root Cause

The _SSTI_PATTERNS list in mcpgateway/common/validators.py (lines 95-103) used greedy quantifiers .* in regex patterns like:

re.compile(r"\{\{.*(__|\.|config).*\}\}", re.IGNORECASE)

When given input without closing delimiters (e.g., {{aaaa...aaaa), the regex engine would:

1. Match .* greedily to the end
2. Fail to find closing }}
3. Backtrack one character at a time
4. Retry at each position, causing exponential time complexity

💡 Fix Description

Replaced all vulnerable .* patterns with negated character classes that cannot backtrack:

Before:

re.compile(r"\{\{.*(__|\.|config|...).*\}\}", re.IGNORECASE)

After:

re.compile(r"\{\{[^}]*(__|\.|config|...)[^}]*\}\}", re.IGNORECASE)

Key changes:

• [^}]* - matches any character except }, bounded by delimiter
• [^%]* - matches any character except %, bounded by delimiter
• Eliminates backtracking while maintaining identical detection behavior
• All 9 SSTI patterns updated for consistency

The negated character classes provide linear time complexity O(n) instead of exponential, preventing the ReDoS attack vector.

🧪 Verification

Check	Command	Status
Lint suite	make lint	✅
Unit tests	make test	✅
Coverage ≥ 90 %	make coverage	✅
Security validation tests	pytest tests/security/test_input_validation.py	✅ 58 passed
SSTI pattern detection	All dangerous payloads still detected	✅

Test Results:

• test_server_side_template_injection: ✅ All 8 dangerous SSTI payloads correctly rejected
• test_regex_dos_prevention: ✅ Passes with ReDoS timing checks
• All 58 security validation tests: ✅ Pass
• All 72 validator unit tests: ✅ Pass

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients
• Internal security hardening only - no API changes

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed
• All existing tests pass
• Security vulnerability mitigated

[crivetimihai]

@shoummu1 I've made some updates, please review / retest

[crivetimihai]

Summary of Changes

This PR has been significantly refactored to use a manual parser approach instead of regex patterns for SSTI detection. This eliminates the ReDoS vulnerability while improving bypass resistance.

Implementation Changes

Replaced regex patterns with linear-time parser:

Before (Regex)	After (Manual Parser)
\{\{.*(__|.|config|...).*\}\} with .* causing backtracking	_iter_template_expressions() - O(n) linear scan
Vulnerable to ReDoS with pathological input	No backtracking possible
Bypassed by }} inside quoted strings	Properly tracks quote state and escapes

New functions added to validators.py:

• _iter_template_expressions(value, start, end) - Yields template expression contents while correctly handling:
  • Single and double quoted strings
  • Escaped characters (\", \')
  • Nested delimiters inside quotes (e.g., "}}" in strings)
• _has_simple_template_expression(value, start) - Fast check for ${, #{, %{ patterns

New constants:

• _SSTI_DANGEROUS_SUBSTRINGS - Keywords to detect: __, ., config, self, request, application, globals, builtins, import
• _SSTI_DANGEROUS_OPERATORS - Arithmetic operators for {{ }}: *, /, +, -
• _SSTI_SIMPLE_TEMPLATE_PREFIXES - Simple template prefixes: ${, #{, %{

Bypass Resistance

Attack Vector	Status
{{ "}}" ~ self.__class__ }}	✅ Blocked
{{ 'a\'}}b' ~ self }}	✅ Blocked
{{ "a\"}}b" ~ self }}	✅ Blocked
`{{ ''	attr('class') }}`
`{{ ''	attr('' ~ 'class') }}`
{{ '}' + self.__class__ }}	✅ Blocked
`{{ users	map(attribute='class') }}`

Pre-existing Limitation

The fully-split dunder bypass ({{ ''|attr('_' ~ '_' ~ 'class' ~ '_' ~ '_') }}) is also allowed on main - this is a fundamental limitation of static analysis without template execution, not a regression from this PR.

Test Coverage

• Added comprehensive SSTI bypass test cases covering all vectors above
• Added @pytest.mark.timeout(30) for deterministic ReDoS detection
• Added pathological input tests (10,000 character strings with unclosed delimiters)
• All 58 security tests pass

Performance

• Before: Regex .* patterns could cause exponential backtracking on malicious input
• After: Linear O(n) scanning regardless of input - no backtracking possible

[shoummu1]

@crivetimihai I've reviewed and tested the refactored implementation.

Test Results

• ✅ All 31 security validation tests passing
• ✅ test_server_side_template_injection: All 34 SSTI payloads correctly detected (including 26 new bypass tests)
• ✅ test_regex_dos_prevention: Completes quickly with pathological inputs (10K chars)
• ✅ No regressions in existing functionality

Implementation Verification

✅ Parser functions present and correct:

• _iter_template_expressions(): State machine with proper quote tracking and escape handling
• _has_simple_template_expression(): Fast check for ${, #{, %{ patterns

✅ Regex patterns successfully replaced with:

• _SSTI_DANGEROUS_SUBSTRINGS: Keyword detection
• _SSTI_DANGEROUS_OPERATORS: Arithmetic operator detection
• _SSTI_SIMPLE_TEMPLATE_PREFIXES: Simple template patterns

✅ Bypass resistance verified:

• {{ "}}" ~ self.__class__ }} - Blocked ✅
• {{ "a\\"}}b" ~ self }} - Blocked ✅
• {{ ''|attr('__class__') }} - Blocked ✅

Security Improvements Confirmed

1. ReDoS eliminated: O(n) linear scanning, no catastrophic backtracking possible
2. Quote handling: Parser correctly tracks single/double quotes and escapes
3. Bypass resistance: 425% increase in test coverage (8→34 cases)

[crivetimihai]

Changes Summary

This PR has been rebased onto main and includes the following security hardening:

ReDoS Prevention

• Replaced regex-based SSTI detection with a linear-time manual parser (_iter_template_expressions())
• Original patterns used .* which could cause catastrophic backtracking
• New implementation is O(n) with proper quote-awareness

SSTI Bypass Vectors Blocked

• Dynamic construction: Added ~ operator and |attr to blocklists
• Escape sequences: Block \x (hex), \u (unicode), \N{ (named), \0-\7 (octal)
• String formatting: Block % operator (prevents '%c' % 95 bypasses)
• Filter bypasses: Block |selectattr, |sort, |map and attribute=
• Whitespace normalization: Normalize around | and = to prevent | attr bypasses

Performance

• O(n) complexity in _has_simple_template_expression using rfind
• O(n) complexity in _iter_template_expressions with fail-closed on unterminated expressions

Fail-Closed Behavior

• Unterminated template expressions ({{ without }}) now raise ValueError immediately
• Prevents potential O(n²) rescanning and ensures malformed input is rejected

Tests

• Added comprehensive test payloads for all bypass vectors
• Added @pytest.mark.timeout(30) for ReDoS detection
• Added regression test for unterminated expressions

Other Fixes

• Fixed pre-existing type annotation bug: max_length: int = None → Optional[int] = None