14 lines
1.4 KiB
Plaintext
14 lines
1.4 KiB
Plaintext
Using regular expressions is security-sensitive. It has led in the past to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16021[CVE-2017-16021]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13863[CVE-2018-13863]
|
|
|
|
Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as ``++(a+)+s++`` will take several seconds to evaluate the input string ``++aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs++``. The problem is that with every additional ``++a++`` character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular expression, ``++a+s++`` (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.
|
|
|
|
Evaluating such regular expressions opens the door to https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS[Regular expression Denial of Service (ReDoS)] attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users.
|
|
|
|
|
|
This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following characters: ``++*+{++``.
|
|
|
|
Example: ``++(a+)*++``
|