rspec/rules/S2631/java/rule.adoc

Most of the regular expression engines use ``backtracking`` to try all possible execution paths of the regular expression when evaluating an input, in some cases it can cause performance issues, called ``catastrophic backtracking`` situations. In the worst case, the complexity of the regular expression is exponential in the size of the input, this means that a small carefully-crafted input (like 20 chars) can trigger ``catastrophic backtracking`` and cause a denial of service of the application. Super-linear regex complexity can lead to the same impact too with, in this case, a large carefully-crafted input (thousands chars).

The first regex evaluation will never end in ``OpenJDK`` <= 9 and the second regex evaluation will never end in any versions of ``OpenJDK``:

----
java.util.regex.Pattern.compile("(a+)+").matcher(
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"+
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"+
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"+
aaaaaaaaaaaaaaa!").matches(); // Sensitive

java.util.regex.Pattern.compile("(h|h|ih(((i|a|c|c|a|i|i|j|b|a|i|b|a|a|j))+h)ahbfhba|c|i)*").matcher(
"hchcchicihcchciiicichhcichcihcchiihichiciiiihhcchi"+
"cchhcihchcihiihciichhccciccichcichiihcchcihhicchcciicchcccihiiihhihihihi"+
"chicihhcciccchihhhcchichchciihiicihciihcccciciccicciiiiiiiiicihhhiiiihchccch"+
"chhhhiiihchihcccchhhiiiiiiiicicichicihcciciihichhhhchihciiihhiccccccciciihh"+
"ichiccchhicchicihihccichicciihcichccihhiciccccccccichhhhihihhcchchihih"+
"iihhihihihicichihiiiihhhhihhhchhichiicihhiiiiihchccccchichci").matches(); // Sensitive
----

It is not recommended to construct a regular expression pattern from a user-controlled input, if no other choice, sanitize the input to remove/annihilate regex metacharacters.

== Noncompliant Code Example

----
public boolean validate(javax.servlet.http.HttpServletRequest request) {
  String regex = request.getParameter("regex");
  String input = request.getParameter("input");

  input.matches(regex);  // Noncompliant
}
----

== Compliant Solution

----
public boolean validate(javax.servlet.http.HttpServletRequest request) {
  String regex = request.getParameter("regex");
  String input = request.getParameter("input");

  input.matches(Pattern.quote(regex));  // Compliant : with Pattern.quote metacharacters or escape sequences will be given no special meaning
}
----

include::../see.adoc[]
change the inline-code delimitters 2020-12-23 14:59:06 +01:00			Most of the regular expression engines use ``backtracking`` to try all possible execution paths of the regular expression when evaluating an input, in some cases it can cause performance issues, called ``catastrophic backtracking`` situations. In the worst case, the complexity of the regular expression is exponential in the size of the input, this means that a small carefully-crafted input (like 20 chars) can trigger ``catastrophic backtracking`` and cause a denial of service of the application. Super-linear regex complexity can lead to the same impact too with, in this case, a large carefully-crafted input (thousands chars).
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
change the inline-code delimitters 2020-12-23 14:59:06 +01:00			The first regex evaluation will never end in ``OpenJDK`` <= 9 and the second regex evaluation will never end in any versions of ``OpenJDK``:
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`----`
			`java.util.regex.Pattern.compile("(a+)+").matcher(`
			`"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"+`
			`"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"+`
			`"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"+`
			`aaaaaaaaaaaaaaa!").matches(); // Sensitive`

			`java.util.regex.Pattern.compile("(h\|h\|ih(((i\|a\|c\|c\|a\|i\|i\|j\|b\|a\|i\|b\|a\|a\|j))+h)ahbfhba\|c\|i)*").matcher(`
			`"hchcchicihcchciiicichhcichcihcchiihichiciiiihhcchi"+`
			`"cchhcihchcihiihciichhccciccichcichiihcchcihhicchcciicchcccihiiihhihihihi"+`
			`"chicihhcciccchihhhcchichchciihiicihciihcccciciccicciiiiiiiiicihhhiiiihchccch"+`
			`"chhhhiiihchihcccchhhiiiiiiiicicichicihcciciihichhhhchihciiihhiccccccciciihh"+`
			`"ichiccchhicchicihihccichicciihcichccihhiciccccccccichhhhihihhcchchihih"+`
			`"iihhihihihicichihiiiihhhhihhhchhichiicihhiiiiihchccccchichci").matches(); // Sensitive`
			`----`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`It is not recommended to construct a regular expression pattern from a user-controlled input, if no other choice, sanitize the input to remove/annihilate regex metacharacters.`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
			`== Noncompliant Code Example`

			`----`
			`public boolean validate(javax.servlet.http.HttpServletRequest request) {`
			`String regex = request.getParameter("regex");`
			`String input = request.getParameter("input");`

			`input.matches(regex); // Noncompliant`
			`}`
			`----`

			`== Compliant Solution`

			`----`
			`public boolean validate(javax.servlet.http.HttpServletRequest request) {`
			`String regex = request.getParameter("regex");`
			`String input = request.getParameter("input");`

Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`input.matches(Pattern.quote(regex)); // Compliant : with Pattern.quote metacharacters or escape sequences will be given no special meaning`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`}`
			`----`

			`include::../see.adoc[]`