Unsanitized user input in regular expression

• Rule ID: javascript_lang_regex_using_user_input
• Languages: javascript
• Source: regex_using_user_input.yml

Description

Creating regular expressions from user input can lead to a vulnerability known as Regular Expression Denial of Service (ReDoS). This issue arises because some regular expressions can be processed with exponential time complexity. When attackers exploit this, it can significantly drain CPU resources, effectively causing a denial of service.

Remediations

• Do not use user-supplied data directly in regular expressions. This can prevent attackers from exploiting the ReDoS vulnerability to cause a denial of service.

  new RegExp(`abc${req.params.untrusted}`, 'i'); // unsafe

• Do sanitize or validate all user input if it must be used in a regular expression, to ensure it does not contain patterns that can lead to ReDoS attacks.
• Do consider implementing timeouts or other limitations on regex operations to mitigate potential ReDoS attacks when user input is involved.

References

• OWASP ReDoS attacks explained

Associated CWE

• CWE-1287: Improper Validation of Specified Type of Input

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_regex_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_regex_using_user_input