Refactor filter configuration with regex validation

- Add regex validation utility for query strings - Update filter_config_service to use regex validation - Add comprehensive test coverage for regex validator - Update exception handling for validation errors - Update documentation for tasks Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-01 18:17:12 +02:00
parent 445c2c5418
commit 60d9c5b340
6 changed files with 367 additions and 41 deletions
--- a/backend/app/routers/filter_config.py
+++ b/backend/app/routers/filter_config.py
@@ -118,9 +118,15 @@ async def update_filter(
 ) -> FilterConfig:
    """Update a filter's ``[Definition]`` fields by writing a ``.local`` override.

-    All regex patterns are validated before writing.  The original ``.conf``
-    file is never modified.  Fields left as ``null`` in the request body are
-    kept at their current values.
+    All regex patterns are validated before writing. Validation includes:
+
+    - **Length limit**: Patterns must not exceed 1000 characters (prevents DoS)
+    - **Compilation timeout**: Pattern compilation must complete within 2 seconds
+      (prevents ReDoS attacks via catastrophic backtracking)
+    - **Syntax validation**: Patterns must be valid Python regex
+
+    The original ``.conf`` file is never modified. Fields left as ``null`` in the
+    request body are kept at their current values.

    Args:
        request: FastAPI request object.
@@ -135,8 +141,10 @@ async def update_filter(

    Raises:
        HTTPException: 400 if *name* contains invalid characters.
-        HTTPException: 404 if the filter does not exist.
+        HTTPException: 400 if any regex pattern exceeds 1000 characters.
+        HTTPException: 400 if any regex pattern times out during compilation (ReDoS).
        HTTPException: 422 if any regex pattern fails to compile.
+        HTTPException: 404 if the filter does not exist.
        HTTPException: 500 if writing the ``.local`` file fails.
    """
    return await filter_config_service.update_filter(config_dir, socket_path, name, body, do_reload=reload)
@@ -164,6 +172,13 @@ async def create_filter(
    shipped ``.conf`` files.  Returns 409 if a ``.conf`` or ``.local`` for
    the requested name already exists.

+    All regex patterns are validated before writing. Validation includes:
+
+    - **Length limit**: Patterns must not exceed 1000 characters (prevents DoS)
+    - **Compilation timeout**: Pattern compilation must complete within 2 seconds
+      (prevents ReDoS attacks via catastrophic backtracking)
+    - **Syntax validation**: Patterns must be valid Python regex
+
    Args:
        request: FastAPI request object.
        _auth: Validated session.
@@ -175,6 +190,8 @@ async def create_filter(

    Raises:
        HTTPException: 400 if the name contains invalid characters.
+        HTTPException: 400 if any regex pattern exceeds 1000 characters.
+        HTTPException: 400 if any regex pattern times out during compilation (ReDoS).
        HTTPException: 409 if the filter already exists.
        HTTPException: 422 if any regex pattern is invalid.
        HTTPException: 500 if writing fails.