Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c54f08f

Browse files
jorgectfjorgectf
committed
Improve qhelp
1 parent 66ee67a commit c54f08f

1 file changed

Lines changed: 47 additions & 18 deletions

File tree

python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp

Lines changed: 47 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,52 @@
1-
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
1+
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" qhelp.dtd"> <qhelp>
22

3-
<qhelp>
4-
<overview>
5-
<p>If a regular expression is built by a not escaped user-provided value, a user is likely to be able to cause a Denial of Service.</p>
6-
</overview>
3+
<overview>
4+
<p>
5+
Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
6+
be able to modify the meaning of the expression. In particular, such a user may be able to provide
7+
a regular expression fragment that takes exponential time in the worst case, and use that to
8+
perform a Denial of Service attack.
9+
</p>
10+
</overview>
711

8-
<recommendation>
9-
<p>In case user input must compose a regular expression, it should be escaped with functions such as <code>re.escape</code>.
10-
<recommendation>
12+
<recommendation>
13+
<p>
14+
Before embedding user input into a regular expression, use a sanitization function such as
15+
<code>re.escape</code> to escape meta-characters that have a special meaning regarding
16+
regular expressions' syntax.
17+
</p>
18+
</recommendation>
1119

12-
<references>
13-
<li>
14-
OWASP
15-
<a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">Regular Expression DoS</a>
16-
</li>
17-
<li>
18-
SonarSource
19-
<a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
20-
</li>
21-
</references>
20+
<example>
21+
<p>
22+
The following examples are based on a simple Flask web server environment.
23+
</p>
24+
<p>
25+
The following example shows a HTTP request parameter that is used to construct a regular expression
26+
without sanitizing it first:
27+
</p>
28+
<sample src="unit_tests/re_bad.py" />
29+
<p>
30+
Instead, the request parameter should be sanitized first, for example using the function
31+
<code>re.escape</code>. This ensures that the user cannot insert characters which have a
32+
special meaning in regular expressions.
33+
</p>
34+
<sample src="examples/re_good.py" />
35+
</example>
2236

37+
<references>
38+
<li>
39+
OWASP:
40+
<a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.
41+
</li>
42+
<li>
43+
Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
44+
</li>
45+
<li>
46+
Python docs: <a href="https://docs.python.org/3/library/re.html">re</a>.
47+
</li>
48+
<li>
49+
SonarSource: <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
50+
</li>
51+
</references>
2352
</qhelp>

0 commit comments

Comments
 (0)