...
Java's
...
regular
...
expression
...
facilities
...
are
...
wide
...
ranging
...
and
...
powerful
...
which
...
can
...
lead
...
to
...
unwanted
...
modification
...
of
...
the
...
original
...
regular
...
expression
...
string
...
to
...
form
...
a
...
pattern
...
that
...
matches
...
too
...
widely,
...
possibly
...
resulting
...
in
...
far
...
too
...
much
...
information
...
being
...
matched.
...
The
...
primary
...
means
...
of
...
preventing
...
this
...
vulnerability
...
is
...
to
...
sanitize
...
a
...
regular
...
expression
...
string
...
coming
...
from
...
untrusted
...
input.
...
Additionally,
...
the
...
programmer
...
should
...
look
...
into
...
ways
...
of
...
avoiding
...
using
...
regular
...
expressions
...
from
...
untrusted
...
input,
...
or
...
perhaps
...
provide
...
only
...
a
...
very
...
limited
...
subset
...
of
...
regular
...
expression
...
functionality
...
to
...
the
...
user
...
Constructs
...
and
...
properties
...
of
...
Java
...
regular
...
expressions
...
to
...
watch
...
out
...
for
...
include:
...
- match
...
- flags
...
- used
...
- in
...
- non-capturing
...
- groups
...
- (These
...
- override
...
- matching
...
- options
...
- that
...
- may
...
- or
...
- may
...
- not
...
- have
...
- been
...
- passed
...
- into
...
- the
...
- compile()
...
- method.
- Greediness
Since Java regular expressions are similar to Perl, it is a good idea to apply lessons learned from Perl regex.
Noncompliant Code Example
This class does not sanitize the incoming regular expression, and as a result, exposes too much information to the user.
This program searches a database of users for usernames that match a regular expression.
| No Format |
|---|
* Greediness Since Java regular expressions are similar to Perl, it is a good idea to apply lessons learned from Perl regex. h2. Noncompliant Code Example This class does not sanitize the incoming regular expression, and as a result, exposes too much information to the user. This program searches a database of users for usernames that match a regular expression. {noformat} A non-malicious example would be to search for 'John.*'. A malicious example would be to search for '(?s)John.*' {noformat} {code:bgColor=#FFCCCC} {code} |
| Code Block | ||
|---|---|---|
| ||
import java.util.regex.Pattern; import java.util.regex.Matcher; import java.util.Set; import java.util.HashSet; public class ForumUserMan {    private final String userCSV = "JohnPaul,HearsGodsVoice\nJohnJackson,OlympicBobsleder\nJohnMayer,MakesBadMusic\n";    public Set<String> searchUser(String name)    {        Set<String> matchedUsers = new HashSet<String>();        String regex = name + ","; //supposedly this forces the regex to only match names        Pattern p = Pattern.compile(regex, 0);        Matcher m = p.matcher(userCSV);        while (m.find())            matchedUsers.add(m.group());    return matchedUsers;    } } {code} |
When
...
searching
...
using
...
the
...
regex
...
'(?s)John.*',
...
the
...
program
...
returns
...
all
...
the
...
users'
...
passwords.
...
The
...
(?s)
...
turns
...
on
...
single-line
...
matching
...
support,
...
which
...
means
...
new
...
lines
...
are
...
ignored.
...
Compliant
...
Solution
...
It
...
is
...
very
...
difficult
...
to
...
filter
...
out
...
overly
...
permissive
...
regular
...
expressions.
...
It
...
might
...
be
...
easier
...
and
...
more
...
secure
...
to
...
rewrite
...
the
...
application
...
to
...
limit
...
the
...
usage
...
of
...
regular
...
expressions.
...
For
...
the
...
above
...
code
...
sample,
...
the
...
easy
...
solution
...
is
...
to
...
parse
...
the
...
CSV
...
into
...
a
...
class
...
and
...
limit
...
the
...
regular
...
expression
...
over
...
the
...
name
...
field
...
of
...
the
...
User
...
class.
| Code Block | ||||
|---|---|---|---|---|
| =
| |||
} {code} import java.util.regex.Pattern; import java.util.regex.Matcher; import java.util.HashMap; /\* Usage Test2 <regex>  \* Regex is used directly without santization causing sensitive data to be exposed  \*  \* Imagine this program searches a database of users for usernames that match a regex  \* Non malicious usage: Test1 John.\*  \* Malicious usage: (?s)John.\*  */ public class Test2 {    public public static class User    {       String { String name, password;       public public User(String name, String password)       {          setName(name);          setPassword(password);       }       private private void setName(String n) { name = n; }       private private void setPassword(String pw) { password = pw; }       public public String getName() { return name; }    }    public public static void main(String\[\] args)    {       if { if (args.length < 1) {          System.err.println("Failed to specify a regex");          return;       }       String String sensitiveData; //represents sensitive data from a file or something       int int flags;       String String regex;       Pattern Pattern p;       Matcher Matcher m;       HashMap<String HashMap<String, User> userMap = new HashMap<String, User>();       //imagine a CSV style database: user,password       sensitiveData sensitiveData = "JohnPaul,HearsGodsVoice\nJohnJackson,OlympicBobsleder\nJohnMayer,MakesBadMusic\n";       String[ String\[\] csvUsers = sensitiveData.split("\n");       for for (String csvUser : csvUsers) {          String[] csvUserSplit = csvUser.split(",");          String name = csvUserSplit[0];          String pw = csvUserSplit[1];          User u = new User(name, pw);          userMap.put(name, u);       }       regex regex = args[0];       flags flags = 0;       System System.out.println("Pattern: \'" + regex + "\'");       p p = Pattern.compile(regex, flags);       for for (String u : userMap.keySet()) {          m = p.matcher(u);          while (m.find())             System.out.println("Found \'" + m.group() + "\'");       }       System System.err.println("DONE");    } } {code} h2. Risk Assessment || Rule || Severity \\ || Liklihood \\ || Remediation Cost \\ || Priority \\ || Level \\ || | IDS18-J \\ | medium \\ | unlikely \\ | high \\ | | | h2. References [CWE ID 625|http://cwe.mitre.org/data/definitions/625.html] Permissive Regular Expressions |
| Code Block |
|---|
Risk Assessment
Rule | Severity | Liklihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS18-J | medium | unlikely | high |
|
|
References
CWE ID 625 Permissive Regular Expressions
| Wiki Markup |
|---|
\[CVE-2005-1949\|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1949|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1949]\] Arbitrary command execution in ePing plugin for e107 portal due to an overly permissive regular expression parsing an IP |