Using regular expressions is security-sensitive. It has led in the past to the following vulnerabilities:
Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as
(a+)+s will take several seconds to evaluate the input string aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs. The problem is that with
every additional a character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular
expression, a+s (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.
Evaluating such regular expressions opens the door to Regular expression Denial of Service (ReDoS) attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users.
This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following
characters: *+{.
Example: (a+)*
There is a risk if you answered yes to any of those questions.
Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for vulnerability reports mentioning the one engine you’re are using.
If the regular expression is vulnerable to ReDos attacks, mitigate the risk by using a "match timeout" to limit the time spent running the regular expression.
Remember also that a ReDos attack is possible if a user-provided regular expression is executed. This rule won’t detect this kind of injection.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.Text.RegularExpressions;
using System.Web;
namespace N
{
public class RegularExpression
{
void Foo(RegexOptions options, TimeSpan matchTimeout, string input,
string replacement, MatchEvaluator evaluator)
{
// All the following instantiations are Sensitive.
new System.Text.RegularExpressions.Regex("(a+)+");
new System.Text.RegularExpressions.Regex("(a+)+", options);
new System.Text.RegularExpressions.Regex("(a+)+", options, matchTimeout);
// All the following static methods are Sensitive.
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+");
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+", options);
System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+", options, matchTimeout);
System.Text.RegularExpressions.Regex.Match(input, "(a+)+");
System.Text.RegularExpressions.Regex.Match(input, "(a+)+", options);
System.Text.RegularExpressions.Regex.Match(input, "(a+)+", options, matchTimeout);
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+");
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+", options);
System.Text.RegularExpressions.Regex.Matches(input, "(a+)+", options, matchTimeout);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", evaluator);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", evaluator, options);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", evaluator, options, matchTimeout);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", replacement);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", replacement, options);
System.Text.RegularExpressions.Regex.Replace(input, "(a+)+", replacement, options, matchTimeout);
System.Text.RegularExpressions.Regex.Split(input, "(a+)+");
System.Text.RegularExpressions.Regex.Split(input, "(a+)+", options);
System.Text.RegularExpressions.Regex.Split(input, "(a+)+", options, matchTimeout);
}
}
}
Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: (a|aa)+,
(a|a?)+.
It is a good idea to test your regular expression if it has the same pattern on both side of a "|".
This rule is deprecated; use {rule:roslyn.sonaranalyzer.security.cs:S2631} instead.