All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.plugins.csharp.S6444.html Maven / Gradle / Ivy

There is a newer version: 10.2.0.105762
Show newest version

Not specifying a timeout for regular expressions can lead to a Denial-of-Service attack. Pass a timeout when using System.Text.RegularExpressions to process untrusted input because a malicious user might craft a value for which the evaluation lasts excessively long.

Ask Yourself Whether

  • the input passed to the regular expression is untrusted.
  • the regular expression contains patterns vulnerable to catastrophic backtracking.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

  • It is recommended to specify a matchTimeout when executing a regular expression.
  • Make sure regular expressions are not vulnerable to Denial-of-Service attacks by reviewing the patterns.
  • Consider using a non-backtracking algorithm by specifying RegexOptions.NonBacktracking.

Sensitive Code Example

public void RegexPattern(string input)
{
    var emailPattern = new Regex(".+@.+", RegexOptions.None);
    var isNumber = Regex.IsMatch(input, "[0-9]+");
    var isLetterA = Regex.IsMatch(input, "(a+)+");
}

Compliant Solution

public void RegexPattern(string input)
{
    var emailPattern = new Regex(".+@.+", RegexOptions.None, TimeSpan.FromMilliseconds(100));
    var isNumber = Regex.IsMatch(input, "[0-9]+", RegexOptions.None, TimeSpan.FromMilliseconds(100));
    var isLetterA = Regex.IsMatch(input, "(a+)+", RegexOptions.NonBacktracking); // .Net 7 and above
    AppDomain.CurrentDomain.SetData("REGEX_DEFAULT_MATCH_TIMEOUT", TimeSpan.FromMilliseconds(100)); // process-wide setting
}

See





© 2015 - 2024 Weber Informatics LLC | Privacy Policy