Recommendation¶

For user input that is intended to be referenced as a string literal in a regular expression, use theRegex.Escape method to escape any special characters. If the regular expression is intended to be configurable by the user, then a timeout should be used to avoid Denial of Service attacks. For C# applications, a timeout can be provided to theRegex constructor. Alternatively, apply a global timeout by setting theREGEX_DEFAULT_MATCH_TIMEOUT application domain property, using theAppDomain.SetData method.

Example¶

The following example shows a HTTP request parameter that is used as a regular expression, and matched against another request parameter.

In the first case, the regular expression is used without a timeout, and the user-provided regex is not escaped. If a malicious user provides a regex that has exponential worst case performance, then this could lead to a Denial of Service.

In the second case, the user input is escaped usingRegex.Escape before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.

usingSystem;usingSystem.Web;usingSystem.Text.RegularExpressions;publicclassRegexInjectionHandler:IHttpHandler{publicvoidProcessRequest(HttpContextctx){stringname=ctx.Request.QueryString["name"];stringuserInput=ctx.Request.QueryString["userInput"];// BAD: Unsanitized user input is used to construct a regular expressionnewRegex("^"+name+"=.*$").Match(userInput);// GOOD: User input is sanitized before constructing the regexstringsafeName=Regex.Escape(name);newRegex("^"+safeName+"=.*$").Match(userInput);}}

References¶

• OWASP:Regular expression Denial of Service - ReDoS.

• Wikipedia:ReDoS.

• Common Weakness Enumeration:CWE-730.

• Common Weakness Enumeration:CWE-400.