ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2631/java/rule.adoc

55 lines
2.5 KiB
Plaintext
Raw Normal View History

make in-line code blocks verbatim
2021-01-27 13:42:22 +01:00
Most of the regular expression engines use ``++backtracking++`` to try all possible execution paths of the regular expression when evaluating an input, in some cases it can cause performance issues, called ``++catastrophic backtracking++`` situations. In the worst case, the complexity of the regular expression is exponential in the size of the input, this means that a small carefully-crafted input (like 20 chars) can trigger ``++catastrophic backtracking++`` and cause a denial of service of the application. Super-linear regex complexity can lead to the same impact too with, in this case, a large carefully-crafted input (thousands chars).
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space
2020-06-30 14:49:38 +02:00
Force linebreaks
2021-02-02 15:02:10 +01:00
Enable forced linebreaks in quotes; escape -- in url
2021-02-02 16:54:43 +01:00
The first regex evaluation will never end in ``++OpenJDK++`` +<=+ 9 and the second regex evaluation will never end in any versions of ``++OpenJDK++``:
Add rules 2000-2999
2020-06-30 12:48:07 +02:00
Force linebreaks
2021-02-02 15:02:10 +01:00
Add all rules, update all rules fixing the inline code syntax
2020-12-21 15:38:52 +01:00
----
java.util.regex.Pattern.compile("(a+)+").matcher(
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"+
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"+
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"+
aaaaaaaaaaaaaaa!").matches(); // Sensitive
java.util.regex.Pattern.compile("(h|h|ih(((i|a|c|c|a|i|i|j|b|a|i|b|a|a|j))+h)ahbfhba|c|i)*").matcher(
"hchcchicihcchciiicichhcichcihcchiihichiciiiihhcchi"+
"cchhcihchcihiihciichhccciccichcichiihcchcihhicchcciicchcccihiiihhihihihi"+
"chicihhcciccchihhhcchichchciihiicihciihcccciciccicciiiiiiiiicihhhiiiihchccch"+
"chhhhiiihchihcccchhhiiiiiiiicicichicihcciciihichhhhchihciiihhiccccccciciihh"+
"ichiccchhicchicihihccichicciihcichccihhiciccccccccichhhhihihhcchchihih"+
"iihhihihihicichihiiiihhhhihhhchhichiicihhiiiiihchccccchichci").matches(); // Sensitive
----
Add rules 2000-2999
2020-06-30 12:48:07 +02:00
Add all rules, update all rules fixing the inline code syntax
2020-12-21 15:38:52 +01:00
It is not recommended to construct a regular expression pattern from a user-controlled input, if no other choice, sanitize the input to remove/annihilate regex metacharacters.
Add rules 2000-2999
2020-06-30 12:48:07 +02:00
== Noncompliant Code Example
----
public boolean validate(javax.servlet.http.HttpServletRequest request) {
String regex = request.getParameter("regex");
String input = request.getParameter("input");
input.matches(regex); // Noncompliant
}
----
== Compliant Solution
----
public boolean validate(javax.servlet.http.HttpServletRequest request) {
String regex = request.getParameter("regex");
String input = request.getParameter("input");
Add all rules, update all rules fixing the inline code syntax
2020-12-21 15:38:52 +01:00
input.matches(Pattern.quote(regex)); // Compliant : with Pattern.quote metacharacters or escape sequences will be given no special meaning
Add rules 2000-2999
2020-06-30 12:48:07 +02:00
}
----
include::../see.adoc[]
Export comments and rspec-to-rspec links from jira
2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
Export comments and rspec-to-rspec links from jira
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
Fix the comment display: rule-id, timestamp, GH visibility, link direction
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
Reference in New Issue Copy Permalink