Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4784

Using regular expressions is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that using a regular expression is safe here.
    • Highlighting:
      Hide

      The regular expression parameter

      Show
      The regular expression parameter
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      APEX, C, C++, Cobol, Go, Kotlin, Objective-C, PL/I, PL/SQL, Ruby, Rust, Scala, Swift, TypeScript, VB6
    • Covered Languages:
      C#, Java, JavaScript, PHP, Python, VB.Net
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-624, CWE-185
    • OWASP:
      A1

      Description

      Using regular expressions is security-sensitive. It has led in the past to the following vulnerabilities:

      Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as (a+)+s will take several seconds to evaluate the input string aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs. The problem is that with every additional a character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular expression, a+s (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.
      Evaluating such regular expressions opens the door to Regular expression Denial of Service (ReDoS) attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users.

      This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following characters: *+{.
      Example: (a+)*

      Ask Yourself Whether

      • the executed regular expression is sensitive and a user can provide a string which will be analyzed by this regular expression.
      • your regular expression engine performance decrease with specially crafted inputs and regular expressions.

      You may be at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for vulnerability reports mentioning the one engine you're are using.

      Use if possible a library which is not vulnerable to Redos Attacks such as Google Re2.

      Remember also that a ReDos attack is possible if a user-provided regular expression is executed. This rule won't detect this kind of injection.

      Exceptions

      Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: (a|aa), (a|a?).
      It is a good idea to test your regular expression if it has the same pattern on both side of a "|".

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4837 Language-Specification Active Unassigned
          2.
          C# RSPEC-4871 Language-Specification Active Unassigned
          3.
          PHP RSPEC-4957 Language-Specification Active Unassigned
          4.
          VB.NET RSPEC-5016 Language-Specification Active Unassigned
          5.
          JavaScript RSPEC-5074 Language-Specification Active Unassigned
          6.
          Python RSPEC-5224 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: