Unsanitized user input in regular expression

• Rule ID: php_lang_regex_using_user_input
• Languages: php
• Source: regex_using_user_input.yml

Description

Constructing regular expressions from user input can lead to a vulnerability known as Regular Expression Denial of Service (ReDoS). This occurs because certain regular expressions can be processed with exponential time complexity, leading to excessive CPU usage and potentially crashing the system when handling malicious input.

Remediations

• Do not use user input directly in regular expressions. This can prevent attackers from exploiting complex patterns to cause a denial of service.

  $user_input = $_GET["name"] . ".php";
  preg_grep($user_input, $array); // unsafe

• Do sanitize or validate user input before incorporating it into regular expressions. This reduces the risk of ReDoS attacks by ensuring only safe patterns are used.

References

• OWASP ReDoS attacks explained

Associated CWE

• CWE-1287: Improper Validation of Specified Type of Input

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_regex_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_regex_using_user_input