rspec/rules/S4784/description.adoc

Using regular expressions is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16021[CVE-2017-16021]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13863[CVE-2018-13863]

Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as ``++(a+)+s++`` will take several seconds to evaluate the input string ``++aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs++``. The problem is that with every additional ``++a++`` character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular expression, ``++a+s++`` (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.

Evaluating such regular expressions opens the door to https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS[Regular expression Denial of Service (ReDoS)] attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users.


This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following characters: ``++*+{++``.

Example: ``++(a+)*++``
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Using regular expressions is security-sensitive. It has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16021[CVE-2017-16021]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13863[CVE-2018-13863]`

remove the asciidoc anchor syntax, unescape '\!' 2021-01-28 18:54:43 +01:00			Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as ``++(a+)+s++`` will take several seconds to evaluate the input string ``++aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs++``. The problem is that with every additional ``++a++`` character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular expression, ``++a+s++`` (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.
Force linebreaks 2021-02-02 15:02:10 +01:00
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`Evaluating such regular expressions opens the door to https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS[Regular expression Denial of Service (ReDoS)] attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users.`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
unescape more things 2021-02-05 10:34:25 +01:00			This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following characters: ``++*+{++``.
Force linebreaks 2021-02-02 15:02:10 +01:00
unescape more things 2021-02-05 10:34:25 +01:00			Example: ``++(a+)*++``