66 lines
3.0 KiB
Plaintext
66 lines
3.0 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
== Recommended Secure Coding Practices
|
||
|
|
|
||
|
|
Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for vulnerability reports mentioning the one engine you're are using.
|
||
|
|
|
||
|
|
If the regular expression is vulnerable to ReDos attacks, mitigate the risk by using a "match timeout" to limit the time spent running the regular expression.
|
||
|
|
|
||
|
|
Remember also that a ReDos attack is possible if a user-provided regular expression is executed. This rule won't detect this kind of injection.
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
----
|
||
|
|
using System;
|
||
|
|
using System.Collections.Generic;
|
||
|
|
using System.Linq;
|
||
|
|
using System.Runtime.Serialization;
|
||
|
|
using System.Text.RegularExpressions;
|
||
|
|
using System.Web;
|
||
|
|
|
||
|
|
namespace N
|
||
|
|
{
|
||
|
|
public class RegularExpression
|
||
|
|
{
|
||
|
|
void Foo(RegexOptions options, TimeSpan matchTimeout, string input,
|
||
|
|
string replacement, MatchEvaluator evaluator)
|
||
|
|
{
|
||
|
|
// All the following instantiations are Sensitive.
|
||
|
|
new System.Text.RegularExpressions.Regex("(a+)+");
|
||
|
|
new System.Text.RegularExpressions.Regex("(a+)+", options);
|
||
|
|
new System.Text.RegularExpressions.Regex("(a+)+", options, matchTimeout);
|
||
|
|
|
||
|
|
// All the following static methods are Sensitive.
|
||
|
|
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+");
|
||
|
|
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+", options);
|
||
|
|
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+", options, matchTimeout);
|
||
|
|
|
||
|
|
System.Text.RegularExpressions.Regex.Match(input, "(a+)+");
|
||
|
|
System.Text.RegularExpressions.Regex.Match(input, "(a+)+", options);
|
||
|
|
System.Text.RegularExpressions.Regex.Match(input, "(a+)+", options, matchTimeout);
|
||
|
|
|
||
|
|
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+");
|
||
|
|
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+", options);
|
||
|
|
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+", options, matchTimeout);
|
||
|
|
|
||
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", evaluator);
|
||
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", evaluator, options);
|
||
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", evaluator, options, matchTimeout);
|
||
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", replacement);
|
||
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", replacement, options);
|
||
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", replacement, options, matchTimeout);
|
||
|
|
|
||
|
|
System.Text.RegularExpressions.Regex.Split(input, "(a+)+");
|
||
|
|
System.Text.RegularExpressions.Regex.Split(input, "(a+)+", options);
|
||
|
|
System.Text.RegularExpressions.Regex.Split(input, "(a+)+", options, matchTimeout);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../exceptions.adoc[]
|
||
|
|
|
||
|
|
include::../see.adoc[]
|