2022-09-09 10:46:10 +02:00
|
|
|
=== How to fix it in .NET
|
|
|
|
|
|
2022-10-18 16:03:10 +02:00
|
|
|
The following noncompliant code is vulnerable to Regex Denial of Service
|
2022-09-09 10:46:10 +02:00
|
|
|
because untrusted data is used as a regex to scan a string without prior
|
|
|
|
|
sanitization or validation.
|
|
|
|
|
|
2022-10-18 16:03:10 +02:00
|
|
|
==== Noncompliant code example
|
2022-09-15 10:28:08 +02:00
|
|
|
|
|
|
|
|
[source,csharp,diff-id=1,diff-type=noncompliant]
|
2022-09-09 10:46:10 +02:00
|
|
|
----
|
|
|
|
|
public class ExampleController : Controller
|
|
|
|
|
{
|
|
|
|
|
public IActionResult Validate(string regex, string input)
|
|
|
|
|
{
|
2022-09-15 10:28:08 +02:00
|
|
|
bool match = Regex.IsMatch(input, regex);
|
2022-09-09 10:46:10 +02:00
|
|
|
|
|
|
|
|
return Json(match);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
2022-09-15 10:28:08 +02:00
|
|
|
|
|
|
|
|
==== Compliant solution
|
|
|
|
|
|
|
|
|
|
[source,csharp,diff-id=1,diff-type=compliant]
|
2022-09-09 10:46:10 +02:00
|
|
|
----
|
|
|
|
|
public class ExampleController : Controller
|
|
|
|
|
{
|
|
|
|
|
public IActionResult Validate(string regex, string input)
|
|
|
|
|
{
|
|
|
|
|
bool match = Regex.IsMatch(input, Regex.Escape(regex));
|
|
|
|
|
|
|
|
|
|
return Json(match);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
=== How does this work?
|
|
|
|
|
|
|
|
|
|
include::../../common/fix/validation.adoc[]
|
|
|
|
|
|
|
|
|
|
In the compliant solution example, `Regex.Escape` escapes metacharacters and escape sequences that
|
|
|
|
|
could have broken the initially intended logic.
|
|
|
|
|
|
