mirror of
https://github.com/github/codeql.git
synced 2026-03-06 07:36:47 +01:00
49 lines
1.5 KiB
XML
49 lines
1.5 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
<overview>
|
|
<p>
|
|
Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
|
|
be able to modify the meaning of the expression. In particular, such a user may be able to provide
|
|
a regular expression fragment that takes exponential time in the worst case, and use that to
|
|
perform a Denial of Service attack.
|
|
</p>
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>
|
|
Before embedding user input into a regular expression, use a sanitization function such as
|
|
lodash's <code>_.escapeRegExp</code> to escape meta-characters that have special meaning.
|
|
</p>
|
|
</recommendation>
|
|
|
|
<example>
|
|
<p>
|
|
The following example shows a HTTP request parameter that is used to construct a regular expression
|
|
without sanitizing it first:
|
|
</p>
|
|
<sample src="examples/RegExpInjection.js" />
|
|
<p>
|
|
Instead, the request parameter should be sanitized first, for example using the function
|
|
<code>_.escapeRegExp</code> from the lodash package. This ensures that the user cannot insert
|
|
characters which have a special meaning in regular expressions.
|
|
</p>
|
|
<sample src="examples/RegExpInjectionGood.js" />
|
|
</example>
|
|
|
|
<references>
|
|
<li>
|
|
OWASP:
|
|
<a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.
|
|
</li>
|
|
<li>
|
|
Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
|
|
</li>
|
|
<li>
|
|
npm: <a href="https://www.npmjs.com/package/lodash">lodash</a>.
|
|
</li>
|
|
</references>
|
|
</qhelp>
|