16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
87 lines
2.2 KiB
Plaintext
87 lines
2.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
import java.util.regex.Pattern;
|
|
|
|
class BasePattern {
|
|
String regex = "(a+)+b"; // a regular expression
|
|
String input; // a user input
|
|
|
|
void foo(CharSequence htmlString) {
|
|
input.matches(regex); // Sensitive
|
|
Pattern.compile(regex); // Sensitive
|
|
Pattern.compile(regex, Pattern.CASE_INSENSITIVE); // Sensitive
|
|
|
|
String replacement = "test";
|
|
input.replaceAll(regex, replacement); // Sensitive
|
|
input.replaceFirst(regex, replacement); // Sensitive
|
|
|
|
if (!Pattern.matches(".*<script>(a+)+b", htmlString)) { // Sensitive
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
This also applies for bean validation, where regexp can be specified:
|
|
|
|
----
|
|
import java.io.Serializable;
|
|
import javax.validation.constraints.Pattern;
|
|
import javax.validation.constraints.Email;
|
|
import org.hibernate.validator.constraints.URL;
|
|
|
|
class BeansRegex implements Serializable {
|
|
@Pattern(regexp=".+@(a+)+b") // Sensitive
|
|
private String email;
|
|
|
|
@Email(regexp=".+@(a+)+b") // Sensitive
|
|
private String email2;
|
|
|
|
@URL(regexp="(a+)+b.com") // Sensitive
|
|
private String url;
|
|
// ...
|
|
}
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
Calls to ``++String.split(regex)++`` and ``++String.split(regex, limit)++`` will not raise an exception despite their use of a regular expression. These methods are used most of the time to split on simple regular expressions which don't create any vulnerabilities.
|
|
|
|
|
|
Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: ``++(a|aa)+++``, ``++(a|a?)+++``.
|
|
|
|
It is a good idea to test your regular expression if it has the same pattern on both side of a \"``++|++``".
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 28 Sep 2018, 10:45:35 Alexandre Gigleux wrote:
|
|
I would remove "check if it is safe" on:
|
|
|
|
----
|
|
String regex; // a regular expression, check if it is safe
|
|
----
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|