Regex Anchor Misuse in `logstash-core` allows multi-line Input bypass

[odaysec]

logstash/logstash-core/lib/logstash/util/thread_safe_attributes.rb

Lines 23 to 24 in 4963c0b

	def lazy_init_attr(attribute, variable: "@#{attribute}".to_sym, &block)
	raise ArgumentError.new("invalid attribute name: #{attribute}") unless attribute.match? /^[_A-Za-z]\w*$/

Regular expressions in Ruby can use anchors to match the beginning and end of a string. However, if the ^ and $ anchors are used, the regular expression can match a single line of a multi-line string. This allows bad actors to bypass your regular expression checks and inject malicious input. The following uses a regular expression to check that a string contains only digits.

def bad(input) 
    raise "Bad input" unless input =~ /^[0-9]+$/
end

The regular expression /^[0-9]+$/ will match a single line of a multi-line string, which may not be the intended behavior. The following (good) example code uses the regular expression \A[0-9]+\z to match the entire input string.

def good(input)
    raise "Bad input" unless input =~ /\A[0-9]+\z/

end

References

Ruby Anchors

Proof of Concept (PoC)

• Logstash installed (or clone the repository)
• Ruby environment configured

Steps to Reproduce

1. Clone the repository:

   git clone https://github.com/elastic/logstash.git
   cd logstash

2. Run the following Ruby using Logstash’s Ruby environment:

   bin/logstash -e '
   ruby {
     code => "
       def bad(input)
         raise \"Bad input\" unless input =~ /^[0-9]+$/
       end
   
       begin
         bad(\"123\\nmalicious_payload\")
         puts \"[!] Validation bypassed successfully\"
       rescue => e
         puts \"[x] Validation failed: #{e}\"
       end
     "
   }
   '

3. Expected Result:
   The current regex /^[0-9]+$/ will incorrectly validate the first line (123) and ignore the malicious second line, printing:

   [!] Validation bypassed successfully
   

4. Fixed Version Example:
   Replace the regex with /\A[0-9]+\z/ and re-run the command.
   It should now correctly reject multi-line input, producing:

   [x] Validation failed: Bad input
   

Impact

If similar regex-based input checks exist within Logstash or its plugin system, attackers could bypass validation by submitting crafted multi-line input. This could potentially lead to Injection of unexpected data in configuration or plugin parameters.