60 lines
1.7 KiB
Plaintext
60 lines
1.7 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
import java.util.regex.Pattern;
|
|
|
|
class BasePattern {
|
|
String regex = "(a+)+b"; // a regular expression
|
|
String input; // a user input
|
|
|
|
void foo(CharSequence htmlString) {
|
|
input.matches(regex); // Sensitive
|
|
Pattern.compile(regex); // Sensitive
|
|
Pattern.compile(regex, Pattern.CASE_INSENSITIVE); // Sensitive
|
|
|
|
String replacement = "test";
|
|
input.replaceAll(regex, replacement); // Sensitive
|
|
input.replaceFirst(regex, replacement); // Sensitive
|
|
|
|
if (!Pattern.matches(".*<script>(a+)+b", htmlString)) { // Sensitive
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
This also applies for bean validation, where regexp can be specified:
|
|
|
|
----
|
|
import java.io.Serializable;
|
|
import javax.validation.constraints.Pattern;
|
|
import javax.validation.constraints.Email;
|
|
import org.hibernate.validator.constraints.URL;
|
|
|
|
class BeansRegex implements Serializable {
|
|
@Pattern(regexp=".+@(a+)+b") // Sensitive
|
|
private String email;
|
|
|
|
@Email(regexp=".+@(a+)+b") // Sensitive
|
|
private String email2;
|
|
|
|
@URL(regexp="(a+)+b.com") // Sensitive
|
|
private String url;
|
|
// ...
|
|
}
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
Calls to ``++String.split(regex)++`` and ``++String.split(regex, limit)++`` will not raise an exception despite their use of a regular expression. These methods are used most of the time to split on simple regular expressions which don't create any vulnerabilities.
|
|
|
|
Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: ``++(a|aa)+++``, ``++(a|a?)+++``.
|
|
It is a good idea to test your regular expression if it has the same pattern on both side of a \"``++|++``".
|
|
|
|
include::../see.adoc[]
|