Recommendation¶

Before embedding user input into a regular expression, use a sanitization function such asPattern.quote to escape meta-characters that have special meaning.

Example¶

The following example shows an HTTP request parameter that is used to construct a regular expression.

In the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.

In the second case, the user input is escaped usingPattern.quote before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.

importjava.util.regex.Pattern;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;publicclassRegexInjectionDemoextendsHttpServlet{publicbooleanbadExample(javax.servlet.http.HttpServletRequestrequest){Stringregex=request.getParameter("regex");Stringinput=request.getParameter("input");// BAD: Unsanitized user input is used to construct a regular expressionreturninput.matches(regex);}publicbooleangoodExample(javax.servlet.http.HttpServletRequestrequest){Stringregex=request.getParameter("regex");Stringinput=request.getParameter("input");// GOOD: User input is sanitized before constructing the regexreturninput.matches(Pattern.quote(regex));}}

References¶

• OWASP:Regular expression Denial of Service - ReDoS.

• Wikipedia:ReDoS.

• Java API Specification:Pattern.quote.

• Common Weakness Enumeration:CWE-730.

• Common Weakness Enumeration:CWE-400.