...
| Code Block | ||
|---|---|---|
| ||
/* Say this logfile contains:
 * CSV style: search string, time (unix), ip (integer)
 *
 * Alice,1267773881,2147651708
 * Bono,1267774881,2147651708
 * Charles,1267775881,1175563058
 *
 * and the CSVLog class has a readLine() method which retrieves a single line from the CSVLog and returns null when at EOF
 */
private CSVLog logfile;
Â
//an application repeatedly calls this function that searches through the search log for search suggestions for autocompletion
public Set<String> suggestSearches(String search)
{
  Set<String> searches = new HashSet<String>();
  Â
  //construct regex from user's string //the regex matches valid lines and the grouping characters will limit the returned regex to the search string
  String regex = "^(" + search + "),[0-9]+?,[0-9]+?$";
  Pattern p = Pattern.compile(regex);
  String s;
  while ((s = logfile.readLine()) != null) { //gets a single line from the logfile
      Matcher m = p.matcher(s);
      if (m.find()) {
          String found = m.group(1);
          searches.add(found);
      }
  }
      Â
  return searches;
}
|
When searching using the regex '(?s)John.*', the program returns all the users' passwords. The (?s) turns on single-line matching support, which means new lines are ignored.
Compliant Solution
It is very difficult to filter out overly permissive regular expressions. It might be easier and more secure to rewrite the application to limit the usage of regular expressions.
...