Unsanitized user input in regular expression

• Rule ID: java_lang_regex_using_user_input
• Languages: java
• Source: regex_using_user_input.yml

Description

Constructing regular expressions from user input can lead to a vulnerability known as Regular Expression Denial of Service (ReDoS). This issue arises because certain regular expressions can be processed with exponential time complexity. If attackers exploit this, they can cause significant CPU usage spikes, effectively denying service to legitimate users.

Remediations

• Do not - wherever possible - use user input directly in regular expressions. This can prevent attackers from exploiting complex patterns that cause excessive CPU consumption.

  Pattern pattern = Pattern.compile(request.getParameter("dangerousRegex"));

• Do sanitize or validate user input if it must be used in a regular expression. Ensure that the input does not contain patterns that could lead to ReDoS.

References

• OWASP ReDoS attacks explained

Associated CWE

• CWE-1287: Improper Validation of Specified Type of Input

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_regex_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_regex_using_user_input