New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: Promote regex injection query from experimental #11070
base: main
Are you sure you want to change the base?
Conversation
|
QHelp previews: java/ql/src/Security/CWE/CWE-730/RegexInjection.qhelpRegular expression injectionConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack. RecommendationBefore embedding user input into a regular expression, use a sanitization function such as ExampleThe following example shows an HTTP request parameter that is used to construct a regular expression. In the first case the user-provided regex is not escaped. If a malicious user provides a regex that has exponential worst case performance, then this could lead to a Denial of Service. In the second case, the user input is escaped using import java.util.regex.Pattern;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
public class RegexInjectionDemo extends HttpServlet {
public boolean badExample(javax.servlet.http.HttpServletRequest request) {
String regex = request.getParameter("regex");
String input = request.getParameter("input");
// BAD: Unsanitized user input is used to construct a regular expression
return input.matches(regex);
}
public boolean goodExample(javax.servlet.http.HttpServletRequest request) {
String regex = request.getParameter("regex");
String input = request.getParameter("input");
// GOOD: User input is sanitized before constructing the regex
return input.matches(Pattern.quote(regex));
}
}References
|
Click to show differences in coveragejavaGenerated file changes for java
- `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,,,,,,,,
+ `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,6,,,,,,,
- Totals,,217,8432,1524,129,6,10,107,33,1,86
+ Totals,,217,8432,1530,129,6,10,107,33,1,86
- org.apache.commons.lang3,,,424,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,293,131
+ org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,293,131 |
Click to show differences in coveragejavaGenerated file changes for java
- `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,,,,,,,,
+ `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,6,,,,,,,
- Totals,,217,8432,1524,129,6,10,107,33,1,86
+ Totals,,217,8432,1530,129,6,10,107,33,1,86
- org.apache.commons.lang3,,,424,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,293,131
+ org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,293,131 |
Click to show differences in coveragejavaGenerated file changes for java
- `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,,,,,,,,
+ `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,6,,,,,,,
- Totals,,217,8432,1524,129,6,10,107,33,1,86
+ Totals,,217,8432,1530,129,6,10,107,33,1,86
- org.apache.commons.lang3,,,424,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,293,131
+ org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,293,131 |
This PR promotes #5704 from experimental.