Regular expression injection¶
ID: swift/regex-injectionKind: path-problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-730 - external/cwe/cwe-400Query suites: - swift-code-scanning.qls - swift-security-extended.qls - swift-security-and-quality.qls
Click to see the query in the CodeQL repository
Constructing a regular expression with unsanitized user input is dangerous, since a malicious user may be able to modify the meaning of the expression. They may be able to cause unexpected program behaviour, or perform a denial-of-service attack. For example, they may provide a regular expression fragment that takes exponential time to evaluate in the worst case.
Recommendation¶
Before embedding user input into a regular expression, use a sanitization function such asNSRegularExpression::escapedPattern(for:) to escape meta-characters that have special meaning.
Example¶
The following examples construct regular expressions from user input without sanitizing it first:
funcprocessRemoteInput(remoteInput:String){...// BAD: Unsanitized user input is used to construct a regular expressionletregex1=tryRegex(remoteInput)// BAD: Unsanitized user input is used to construct a regular expressionletregexStr="abc|\(remoteInput)"letregex2=tryNSRegularExpression(pattern:regexStr)...}
If user input is used to construct a regular expression it should be sanitized first. This ensures that the user cannot insert characters that have special meanings in regular expressions.
funcprocessRemoteInput(remoteInput:String){...// GOOD: Regular expression is not derived from user inputletregex1=tryRegex(myRegex)// GOOD: User input is sanitized before being used to construct a regular expressionletescapedInput=NSRegularExpression.escapedPattern(for:remoteInput)letregexStr="abc|\(escapedInput)"letregex2=tryNSRegularExpression(pattern:regexStr)...}