<!DOCTYPE qhelp PUBLIC

"-//Semmle//qhelp//EN"

"qhelp.dtd">

<qhelp>

<overview>

<p>

Constructing a regular expression with unsanitized user input is dangerous as a malicious user may

be able to modify the meaning of the expression. In particular, such a user may be able to provide

a regular expression fragment that takes exponential time in the worst case, and use that to

perform a Denial of Service attack.

</p>

</overview>

<recommendation>

<p>

Before embedding user input into a regular expression, use a sanitization function

such as <code>Pattern.quote</code> to escape meta-characters that have special meaning.

</p>

</recommendation>

<example>

<p>

The following example shows an HTTP request parameter that is used to construct a regular expression.

</p>

<p>

In the first case the user-provided regex is not escaped.

If a malicious user provides a regex whose worst-case performance is exponential,

then this could lead to a Denial of Service.

</p>

<p>

In the second case, the user input is escaped using <code>Pattern.quote</code> before being included

in the regular expression. This ensures that the user cannot insert characters which have a special

meaning in regular expressions.

</p>

<sample src="RegexInjection.java" />

</example>

<references>

<li>

OWASP:

<a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.

</li>

<li>

Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.

</li>

<li>

Java API Specification: <a href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)">Pattern.quote</a>.

</li>

</references>

</qhelp>