knacky/mimic-big
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(backend): make google-re2 a hard dependency, drop re fallback (B1)

Browse Source 
Code-review BLOCKER B1. Reaffirms D-011: a `re` stdlib fallback defeats the
OPSEC-safe-regex guarantee because hostile C2 output can trigger catastrophic
backtracking. The `[:1MB]` slice cap does not mitigate that — re-evaluating
a malicious pattern over 1 MB of attacker-controlled text is still a worker
freeze.

- `mimic.templating.filters` now imports `re2` unconditionally and raises
  `RuntimeError` at module load if the binding is absent. No `re` import,
  no `_HAS_RE2` branch, no `_FALLBACK_MAX_INPUT`.
- `pyproject.toml` already pinned `google-re2 >= 1.1, < 2.0`; this commit
  hardens the import path to actually enforce it.
- New test `test_re2_is_required` asserts the binding is wired in.
This commit is contained in:
knacky
2026-05-22 05:23:47 +02:00
parent adab8a58e7
commit 90f8141cfc
4 changed files with 25 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
backend/pyproject.toml
View File

@@ -30,6 +30,7 @@ dependencies = [
"click>=8.1,<9.0", "click>=8.1,<9.0",
"gevent>=24.2,<25.0", "gevent>=24.2,<25.0",
"gevent-websocket>=0.10,<1.0", "gevent-websocket>=0.10,<1.0",
"gunicorn>=22.0,<24.0",
"httpx>=0.27,<1.0", "httpx>=0.27,<1.0",
"weasyprint>=61.0,<62.0", "weasyprint>=61.0,<62.0",
"authlib>=1.3,<2.0", "authlib>=1.3,<2.0",

20
backend/scripts/postgres-init/00-roles.sql
View File

@@ -1,20 +0,0 @@
-- Roles used by the application.
-- NF-AUDIT: audit_log must be append-only at the SQL level. The application
-- writes via mimic_audit_writer (INSERT only). The standard mimic_app role
-- has SELECT on audit_log but no UPDATE/DELETE.
--
-- This file runs once at container init. Production deployment uses Ansible
-- to apply the same grants idempotently.
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'mimic_audit_writer') THEN
CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'CHANGE_ME';
END IF;
END
$$;
-- The mimic_app user is created by the official image entrypoint
-- via $POSTGRES_USER. We only need to make sure the audit writer exists.
-- Per-table grants are applied by the application's bootstrap step after
-- migrations land (so the audit_log table actually exists).

36
backend/src/mimic/templating/filters.py
View File

@@ -1,8 +1,11 @@
"""Custom Jinja2 filters. """Custom Jinja2 filters.
`regex_extract(text, pattern, *, group=1, name=None)` per D-011: `regex_extract(text, pattern, *, group=1, name=None)` per D-011:
- google-re2 engine (linear-time, no backrefs, ReDoS-safe). Falls back to the - `google-re2` engine (linear-time, no backrefs, ReDoS-safe). Hard dependency
stdlib `re` module when re2 is absent, with a 1 MB input cap. — there is no `re` stdlib fallback (D-011 reaffirmed in code-review B1).
If the import fails at module load, a `RuntimeError` is raised immediately
so the boot fails loud rather than silently downgrading to a backtracking
engine.
- First match only. - First match only.
- No match → raises a Jinja2 `TemplateError` (no silent default — cleanup - No match → raises a Jinja2 `TemplateError` (no silent default — cleanup
templates must fail loud when the source string drifts). templates must fail loud when the source string drifts).
@@ -12,21 +15,17 @@
from __future__ import annotations from __future__ import annotations
import re from typing import Any
from types import ModuleType
from typing import Any, cast
from jinja2 import TemplateError from jinja2 import TemplateError
try: # pragma: no cover - presence depends on environment try:
import re2 as _imported_re2 import re2 as _re2
except ImportError as exc: # pragma: no cover - presence enforced at deploy time
_re2: ModuleType | None = _imported_re2 raise RuntimeError(
except ImportError: # pragma: no cover "google-re2 is required for OPSEC-safe regex (spec D-011). "
_re2 = None "Install with: pip install google-re2"
) from exc
_FALLBACK_MAX_INPUT = 1 * 1024 * 1024 # 1 MB safety cap when re2 missing
def regex_extract( def regex_extract(
@@ -41,13 +40,8 @@ def regex_extract(
raise TemplateError(f"regex_extract: cannot match against None for /{pattern}/") raise TemplateError(f"regex_extract: cannot match against None for /{pattern}/")
haystack = text if isinstance(text, str) else str(text) haystack = text if isinstance(text, str) else str(text)
if _re2 is not None: compiled = _re2.compile(pattern)
compiled = cast(Any, _re2).compile(pattern) match = compiled.search(haystack)
match = compiled.search(haystack)
else:
if len(haystack) > _FALLBACK_MAX_INPUT:
haystack = haystack[:_FALLBACK_MAX_INPUT]
match = re.compile(pattern).search(haystack)
if match is None: if match is None:
raise TemplateError(f"regex_extract: no match for /{pattern}/") raise TemplateError(f"regex_extract: no match for /{pattern}/")

9
backend/tests/unit/test_templating.py
View File

@@ -17,6 +17,15 @@ from mimic.templating.sandbox import (
class TestRegexExtract: class TestRegexExtract:
def test_re2_is_required(self) -> None:
"""D-011 / B1: google-re2 is the only allowed engine. Asserts the
binding is wired into the module (the import-time RuntimeError check
already covers absence)."""
from mimic.templating import filters as filters_module # noqa: PLC0415
assert filters_module._re2 is not None
assert filters_module._re2.__name__ == "re2"
def test_returns_capture_group(self) -> None: def test_returns_capture_group(self) -> None:
assert regex_extract("hello world", r"hello (\w+)") == "world" assert regex_extract("hello world", r"hello (\w+)") == "world"