Unsanitized dynamic input in regular expression

Overview

• Rule ID: javascript_lang_dynamic_regex

• Applicable Languages: Javascript

• Weakness ID: CWE-1333

Description

Creating regular expressions from dynamic input can lead to a vulnerability known as Regular Expression Denial of Service (ReDoS). This issue occurs because some regular expressions can have exponential time complexity. When attackers exploit this vulnerability, it can significantly drain CPU resources, leading to a denial of service.

Remediation Guidelines

• Do validate all dynamic and user-supplied input against a strict safelist of allowed characters before using it in regular expressions. This step helps prevent attackers from injecting malicious patterns.

• Do restrict the length of input that can be processed. Limiting input size is a straightforward way to mitigate many ReDoS vulnerabilities.

• Do implement timeouts for regular expression evaluation to avoid excessive resource consumption. This can be achieved using JavaScript environments or libraries that allow setting execution time limits.

• Do simplify complex regular expressions to reduce the risk of catastrophic backtracking. Breaking down expressions into simpler parts makes them safer and more manageable.

• Do not directly concatenate user input into regular expressions. This practice can introduce unsafe patterns and lead to vulnerabilities.

References

• OWASP Regular expression Denial of Service - ReDoS

• CWE-1333: Inefficient Regular Expression Complexity

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL