Unsanitized user input in regular expression

• Rule ID: python_lang_regex_using_user_input
• Languages: python
• Source: regex_using_user_input.yml

Description

Creating regular expressions from user input can lead to a vulnerability known as Regular Expression Denial of Service (ReDoS). This issue arises because some regular expressions can be processed with exponential time complexity. When attackers exploit this, it can significantly drain CPU resources, effectively causing a denial of service.

Remediations

• Do not construct regular expressions directly from user inputs. This can make your application susceptible to ReDoS attacks.
• Do consider using the regex module for regular expressions in Python. Unlike the re module, regex allows you to set a timeout for regular expressions to prevent excessive CPU usage. This can help mitigate the impact of potential ReDoS attacks.

  regex.match(pattern, string, timeout=0.1)

References

• OWASP ReDoS attacks explained

Associated CWE

• CWE-1287: Improper Validation of Specified Type of Input

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_regex_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_regex_using_user_input