82 lines
3.4 KiB
Plaintext
82 lines
3.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for vulnerability reports mentioning the one engine you're are using.
|
|
|
|
|
|
If the regular expression is vulnerable to ReDos attacks, mitigate the risk by using a "match timeout" to limit the time spent running the regular expression.
|
|
|
|
|
|
Remember also that a ReDos attack is possible if a user-provided regular expression is executed. This rule won't detect this kind of injection.
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
Imports System
|
|
Imports System.Collections.Generic
|
|
Imports System.Linq
|
|
Imports System.Runtime.Serialization
|
|
Imports System.Text.RegularExpressions
|
|
Imports System.Web
|
|
|
|
Namespace N
|
|
Public Class RegularExpression
|
|
Private Sub Foo(ByVal pattern As String, ByVal options As RegexOptions, ByVal matchTimeout As TimeSpan,
|
|
ByVal input As String, ByVal replacement As String, ByVal evaluator As MatchEvaluator)
|
|
' All the following instantiations are Sensitive. Validate the regular expression and matched input.
|
|
Dim r As Regex = New System.Text.RegularExpressions.Regex("(a+)+b")
|
|
r = New System.Text.RegularExpressions.Regex("(a+)+b", options)
|
|
r = New System.Text.RegularExpressions.Regex("(a+)+b", options, matchTimeout)
|
|
|
|
' All the following static methods are Sensitive.
|
|
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+b")
|
|
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+b", options)
|
|
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+b", options, matchTimeout)
|
|
|
|
System.Text.RegularExpressions.Regex.Match(input, "(a+)+b")
|
|
System.Text.RegularExpressions.Regex.Match(input, "(a+)+b", options)
|
|
System.Text.RegularExpressions.Regex.Match(input, "(a+)+b", options, matchTimeout)
|
|
|
|
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+b")
|
|
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+b", options)
|
|
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+b", options, matchTimeout)
|
|
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", evaluator)
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", evaluator, options)
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", evaluator, options, matchTimeout)
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", replacement)
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", replacement, options)
|
|
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", replacement, options, matchTimeout)
|
|
|
|
System.Text.RegularExpressions.Regex.Split(input, "(a+)+b")
|
|
System.Text.RegularExpressions.Regex.Split(input, "(a+)+b", options)
|
|
System.Text.RegularExpressions.Regex.Split(input, "(a+)+b", options, matchTimeout)
|
|
End Sub
|
|
End Class
|
|
End Namespace
|
|
----
|
|
|
|
include::../exceptions.adoc[]
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|