• Home
• org.sonarsource.javascript
• javascript-checks
• 10.14.0.26080
• source code
• S4784.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S4784.html Maven / Gradle / Ivy

This rule is deprecated; use {rule:javascript:S5852} instead.
Using regular expressions is security-sensitive. It has led in the past to the following vulnerabilities:

  
 CVE-2017-16021 
  
 CVE-2018-13863 

Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as
(a+)+s will take several seconds to evaluate the input string aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs. The problem is that with
every additional a character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular
expression, a+s (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.
Evaluating such regular expressions opens the door to Regular expression Denial of Service (ReDoS) attacks.
In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making
the service inaccessible to genuine users.
This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following
characters: *+{.
Example: (a+)*
Ask Yourself Whether

  
 the executed regular expression is sensitive and a user can provide a string which will be analyzed by this regular expression. 
  
 your regular expression engine performance decrease with specially crafted inputs and regular expressions. 

There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for
vulnerability reports mentioning the one engine you’re are using.
Use if possible a library which is not vulnerable to Redos Attacks such as Google Re2.
Remember also that a ReDos attack is possible if a user-provided regular expression is executed. This rule won’t detect this kind of injection.
Sensitive Code Example
const regex = /(a+)+b/; // Sensitive
const regex2 = new RegExp("(a+)+b"); // Sensitive

str.search("(a+)+b"); // Sensitive
str.match("(a+)+b"); // Sensitive
str.split("(a+)+b"); // Sensitive

Note: String.matchAll does not raise any issue as it is not supported by NodeJS.
Exceptions
Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: (a|aa)+,
(a|a?)+.
It is a good idea to test your regular expression if it has the same pattern on both side of a "|".
See

  
 OWASP - Top 10 2017 Category A1 - Injection 
  
 CWE - CWE-624 - Executable Regular Expression
  Error 
  
 OWASP Regular expression Denial of Service - ReDoS