rspec/rules/S4784/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
import java.util.regex.Pattern;

class BasePattern {
  String regex = "(a+)+b"; // a regular expression
  String input; // a user input

  void foo(CharSequence htmlString) {
    input.matches(regex);  // Sensitive
    Pattern.compile(regex);  // Sensitive
    Pattern.compile(regex, Pattern.CASE_INSENSITIVE);  // Sensitive

    String replacement = "test";
    input.replaceAll(regex, replacement);  // Sensitive
    input.replaceFirst(regex, replacement);  // Sensitive

    if (!Pattern.matches(".*<script>(a+)+b", htmlString)) { // Sensitive
    }
  }
}
----

This also applies for bean validation, where regexp can be specified:

----
import java.io.Serializable;
import javax.validation.constraints.Pattern;
import javax.validation.constraints.Email;
import org.hibernate.validator.constraints.URL;

class BeansRegex implements Serializable {
  @Pattern(regexp=".+@(a+)+b")  // Sensitive
  private String email;

  @Email(regexp=".+@(a+)+b")  // Sensitive
  private String email2;

  @URL(regexp="(a+)+b.com") // Sensitive
  private String url;
  // ...
}
----

== Exceptions

Calls to ``++String.split(regex)++`` and ``++String.split(regex, limit)++`` will not raise an exception despite their use of a regular expression. These methods are used most of the time to split on simple regular expressions which don't create any vulnerabilities.


Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: ``++(a|aa)+++``, ``++(a|a?)+++``.

It is a good idea to test your regular expression if it has the same pattern on both side of a \"``++|++``".

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]