<!DOCTYPE qhelp PUBLIC

"-//Semmle//qhelp//EN"

"qhelp.dtd">

<qhelp>

<overview>

<p>By default, "dot" (<code>.</code>) in regular expressions matches all characters except newline characters <code>\n</code> and

<code>\r</code>. Regular expressions containing a dot can be bypassed with the characters \r(%0a) , \n(%0d) when the default regex

matching implementations of Java are used. When regular expressions serve to match protected resource patterns to grant access

to protected application resources, attackers can gain access to unauthorized paths.</p>

</overview>

<recommendation>

<p>To guard against unauthorized access, it is advisable to properly specify regex patterns for validating user input. The Java

Pattern Matcher API <code>Pattern.compile(PATTERN, Pattern.DOTALL)</code> with the <code>DOTALL</code> flag set can be adopted

to address this vulnerability.</p>

</recommendation>

<example>

<p>The following examples show the bad case and the good case respectively. The <code>bad</code> methods show a regex pattern allowing

bypass. In the <code>good</code> methods, it is shown how to solve this problem by either specifying the regex pattern correctly or

use the Java API that can detect new line characters.

</p>

<sample src="DotRegex.java" />

</example>

<references>

<li>Lay0us1:

<a href="https://github.com/Lay0us1/CVE-2022-32532">CVE 2022-22978: Authorization Bypass in RegexRequestMatcher</a>.

</li>

<li>Apache Shiro:

<a href="https://github.com/apache/shiro/commit/6bcb92e06fa588b9c7790dd01bc02135d58d3f5b">Address the RegexRequestMatcher issue in 1.9.1</a>.

</li>

<li>CVE-2022-32532:

<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32532">Applications using RegExPatternMatcher with "." in the regular expression are possibly vulnerable to an authorization bypass</a>.

</li>

</references>

</qhelp>

import java

import semmle.code.java.dataflow.ExternalFlow

import semmle.code.java.dataflow.FlowSources

import DataFlow::PathGraph

import Regex

class PermissiveDotStr extends StringLiteral {

PermissiveDotStr() {

// Find `.` in a string that is not prefixed with `\`

exists(string s, int i | this.getValue() = s |

s.indexOf(".") = i and

not s.charAt(i - 1) = "\\"

)

}

class PermissiveDotEx extends Expr {

PermissiveDotEx() { this instanceof PermissiveDotStr }

class CompileRegexSink extends DataFlow::ExprNode {

CompileRegexSink() {

exists(MethodAccess ma, Method m | m = ma.getMethod() |

(

ma.getArgument(0) = this.asExpr() and

(

m instanceof StringMatchMethod // input.matches(regexPattern)

or

m instanceof PatternCompileMethod // p = Pattern.compile(regexPattern)

or

m instanceof PatternMatchMethod // p = Pattern.matches(regexPattern, input)

)

)

)

}

class PermissiveDotRegexConfig extends DataFlow::Configuration {

PermissiveDotRegexConfig() { this = "PermissiveDotRegex::PermissiveDotRegexConfig" }

override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PermissiveDotEx }

override predicate isSink(DataFlow::Node sink) { sink instanceof CompileRegexSink }

override predicate isBarrier(DataFlow::Node node) {

exists(

MethodAccess ma, Field f // Pattern.compile(PATTERN, Pattern.DOTALL)

|

ma.getMethod() instanceof PatternCompileMethod and

ma.getArgument(1) = f.getAnAccess() and

f.hasName("DOTALL") and

f.getDeclaringType() instanceof Pattern and

node.asExpr() = ma.getArgument(0)

)

}

class MatchRegexConfiguration extends TaintTracking::Configuration {

MatchRegexConfiguration() { this = "PermissiveDotRegex::MatchRegexConfiguration" }

override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

override predicate isSink(DataFlow::Node sink) { sink instanceof MatchRegexSink }

DataFlow::PathNode source, DataFlow::PathNode sink, MatchRegexConfiguration conf,

DataFlow::PathNode source2, DataFlow::PathNode sink2, PermissiveDotRegexConfig conf2

conf.hasFlowPath(source, sink) and

conf2.hasFlowPath(source2, sink2) and

exists(MethodAccess ma | ma.getArgument(0) = sink2.getNode().asExpr() |

// input.matches(regexPattern)

ma.getMethod() instanceof StringMatchMethod and

ma.getQualifier() = sink.getNode().asExpr()

or

// p = Pattern.compile(regexPattern); p.matcher(input)

ma.getMethod() instanceof PatternCompileMethod and

exists(MethodAccess pma |

pma.getMethod() instanceof PatternMatcherMethod and

sink.getNode().asExpr() = pma.getArgument(0) and

DataFlow::localExprFlow(ma, pma.getQualifier())

)

or

// p = Pattern.matches(regexPattern, input)

ma.getMethod() instanceof PatternMatchMethod and

sink.getNode().asExpr() = ma.getArgument(1)

)

select sink.getNode(), source, sink, "Potentially authentication bypass due to $@.",

source.getNode(), "user-provided value"

import java

private import semmle.code.java.dataflow.ExternalFlow

private import semmle.code.java.dataflow.FlowSources

private import semmle.code.java.dataflow.TaintTracking2

class Pattern extends RefType {

Pattern() { this.hasQualifiedName("java.util.regex", "Pattern") }

class PatternCompileMethod extends Method {

PatternCompileMethod() {

this.getDeclaringType().getASupertype*() instanceof Pattern and

this.hasName("compile")

}

class PatternMatchMethod extends Method {

PatternMatchMethod() {

this.getDeclaringType().getASupertype*() instanceof Pattern and

this.hasName("matches")

}

class PatternMatcherMethod extends Method {

PatternMatcherMethod() {

this.getDeclaringType().getASupertype*() instanceof Pattern and

this.hasName("matcher")

}

class StringMatchMethod extends Method {

StringMatchMethod() {

this.getDeclaringType().getASupertype*() instanceof TypeString and

this.hasName("matches")

}

abstract class MatchRegexSink extends DataFlow::ExprNode { }

class StringMatchRegexSink extends MatchRegexSink {

StringMatchRegexSink() {

exists(MethodAccess ma, Method m | m = ma.getMethod() |

(

m instanceof StringMatchMethod and

ma.getQualifier() = this.asExpr()

)

)

}

class PatternMatchRegexSink extends MatchRegexSink {

PatternMatchRegexSink() {

exists(MethodAccess ma, Method m | m = ma.getMethod() |

(

m instanceof PatternMatchMethod and

ma.getArgument(1) = this.asExpr()

)

)

}

class PatternMatcherRegexSink extends MatchRegexSink {

PatternMatcherRegexSink() {

exists(MethodAccess ma, Method m | m = ma.getMethod() |

(

m instanceof PatternMatcherMethod and

ma.getArgument(0) = this.asExpr()

)

)

}

import java.io.IOException;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.servlet.ServletException;

public class DotRegexServlet extends HttpServlet {

private static final String PROTECTED_PATTERN = "/protected/.*";

private static final String CONSTRAINT_PATTERN = "/protected/xyz\\.xml";

@Override

// BAD: A string with line return e.g. `/protected/%0dxyz` can bypass the path check

protected void doGet(HttpServletRequest request, HttpServletResponse response)

throws ServletException, IOException {

String source = request.getPathInfo();

Pattern p = Pattern.compile(PROTECTED_PATTERN);

Matcher m = p.matcher(source);

if (m.matches()) {

// Protected page - check access token and redirect to login page

} else {

// Not protected page - render content

}

}

// GOOD: A string with line return e.g. `/protected/%0dxyz` cannot bypass the path check

protected void doGet2(HttpServletRequest request, HttpServletResponse response)

throws ServletException, IOException {

String source = request.getPathInfo();

Pattern p = Pattern.compile(PROTECTED_PATTERN, Pattern.DOTALL);

Matcher m = p.matcher(source);

if (m.matches()) {

// Protected page - check access token and redirect to login page

} else {

// Not protected page - render content

}

}

// BAD: A string with line return e.g. `/protected/%0axyz` can bypass the path check

protected void doGet3(HttpServletRequest request, HttpServletResponse response)

throws ServletException, IOException {

String source = request.getPathInfo();

boolean matches = source.matches(PROTECTED_PATTERN);

if (matches) {

// Protected page - check access token and redirect to login page

} else {

// Not protected page - render content

}

}

// BAD: A string with line return e.g. `/protected/%0axyz` can bypass the path check

protected void doGet4(HttpServletRequest request, HttpServletResponse response)

throws ServletException, IOException {

String source = request.getPathInfo();

boolean matches = Pattern.matches(PROTECTED_PATTERN, source);

if (matches) {

// Protected page - check access token and redirect to login page

} else {

// Not protected page - render content

}

}

// GOOD: Only a specific path can pass the validation

protected void doGet5(HttpServletRequest request, HttpServletResponse response)

throws ServletException, IOException {

String source = request.getPathInfo();

Pattern p = Pattern.compile(CONSTRAINT_PATTERN);

Matcher m = p.matcher(source);

if (m.matches()) {

// Protected page - check access token and redirect to login page

} else {

// Not protected page - render content

}

}

}