2020-06-30 12:49:37 +02:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
== Recommended Secure Coding Practices
Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for vulnerability reports mentioning the one engine you're are using.
2021-02-02 15:02:10 +01:00
2020-06-30 12:49:37 +02:00
If the regular expression is vulnerable to ReDos attacks, mitigate the risk by using a "match timeout" to limit the time spent running the regular expression.
2021-02-02 15:02:10 +01:00
2020-06-30 12:49:37 +02:00
Remember also that a ReDos attack is possible if a user-provided regular expression is executed. This rule won't detect this kind of injection.
== Sensitive Code Example
----
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.Text.RegularExpressions;
using System.Web;
namespace N
{
public class RegularExpression
{
void Foo(RegexOptions options, TimeSpan matchTimeout, string input,
string replacement, MatchEvaluator evaluator)
{
// All the following instantiations are Sensitive.
new System.Text.RegularExpressions.Regex("(a+)+");
new System.Text.RegularExpressions.Regex("(a+)+", options);
new System.Text.RegularExpressions.Regex("(a+)+", options, matchTimeout);
// All the following static methods are Sensitive.
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+");
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+", options);
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+", options, matchTimeout);
System.Text.RegularExpressions.Regex.Match(input, "(a+)+");
System.Text.RegularExpressions.Regex.Match(input, "(a+)+", options);
System.Text.RegularExpressions.Regex.Match(input, "(a+)+", options, matchTimeout);
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+");
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+", options);
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+", options, matchTimeout);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", evaluator);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", evaluator, options);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", evaluator, options, matchTimeout);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", replacement);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", replacement, options);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", replacement, options, matchTimeout);
System.Text.RegularExpressions.Regex.Split(input, "(a+)+");
System.Text.RegularExpressions.Regex.Split(input, "(a+)+", options);
System.Text.RegularExpressions.Regex.Split(input, "(a+)+", options, matchTimeout);
}
}
}
----
include::../exceptions.adoc[]
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
2023-05-25 14:18:12 +02:00
=== on 16 Oct 2018, 11:38:07 Nicolas Harraudeau wrote:
*Implementation details*:
This rules highlights regular expression patterns. Sometime the pattern is compiled using the ``++new System.Text.RegularExpressions.Regex.Regex++`` constructor, but it can also be in the form of a ``++String++`` fed to one of Regex static methods ``++isMatch++``, ``++Match++``, ``++Matches++``, ``++Replace++``. ``++Split++``. Note that we *do not match non static methods* as the pattern was given to the ``++Regex++`` constructor.
include::../comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
