Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Untrusted input shall be sanitized before use to prevent regex injection. When the user must specify a regex as input, care must be taken to ensure that the original regex cannot be modified without restriction. Whitelisting characters (such as letters and digits) before delivering the user supplied string to the regex parser is a good input sanitization strategy. A programmer must provide only a very limited subset of regular expression functionality to the user to minimize any chance of misuse.

Regex Injection Example

Suppose a system log file contains messages output by various system processes. Some processes produce public messages and some processes produce sensitive messages marked 'private'. Here is an example log file:

...

This regex will match any line in the log file, including the private ones.

Noncompliant Code Example

This noncompliant code example periodically loads the log file into memory and allows clients to obtain keyword search suggestions by passing the keyword as an argument to suggestSearches().

...

This code permits a trusted user to search for public log messages such as "error". However, it also allows a malicious attacker to perform the regex injection outlined above.

Compliant Solution (Whitelisting)

This compliant solution filters out non-alphanumeric characters (except space and single quote) from the search string, which prevents regex injection.

...

This solution also limits the set of valid search terms. For instance, a user may no longer search for "name =" because the = character would be sanitized out of the regex.

Compliant Solution

Another method of mitigating this vulnerability is to filter out the sensitive information prior to matching. Such a solution would require the filtering to be done every time the log file is periodically refreshed, incurring extra complexity and a performance penalty. Sensitive information may be still exposed if the log format changes but the class is not also refactored to accommodate these changes.

Risk Assessment

Violating this rule may result in the disclosure of sensitive information.

Rule

Severity

Liklihood

Remediation Cost

Priority

Level

IDS19-J

medium

unlikely

medium

P4

L3

Related Guidelines

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1dd753c490785d0e-6f53cee7-465c4ca0-9125aa41-16362179769dceb4617676c7"><ac:plain-text-body><![CDATA[

[[MITRE 09

AA. Bibliography#MITRE 09]]

[CWE ID 625

http://cwe.mitre.org/data/definitions/625.html] "Permissive Regular Expression"

]]></ac:plain-text-body></ac:structured-macro>

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3948d2e760c2f5dc-4936ad22-49ca4449-9cb1bf80-bb2de2457fc6405db4f71aaf"><ac:plain-text-body><![CDATA[

[[Tutorials 08

AA. Bibliography#Tutorials 08]]

[Regular Expressions

http://java.sun.com/docs/books/tutorial/essential/regex/index.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1ce872e466588f59-97903164-427e4d81-a8fbbaca-d2362938a704caadc725a9f8"><ac:plain-text-body><![CDATA[

[[CVE 05

AA. Bibliography#CVE]]

[CVE-2005-1949

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1949]

]]></ac:plain-text-body></ac:structured-macro>

...