Recommendation¶

Use anchors to ensure that regular expressions match at the expected locations.

Example¶

The following example code checks that a URL redirection will reach theexample.com domain, or one of its subdomains, and not some malicious site.

classUsersController<ActionController::Basedefindex# BAD: the host of `params[:url]` may be controlled by an attackerifparams[:url].match?/https?:\/\/www\.example\.com\//redirect_toparams[:url]endendend

The check with the regular expression match is, however, easy to bypass. For example by embeddinghttp://example.com/ in the query string component:http://evil-example.net/?x=http://example.com/. Address these shortcomings by using anchors in the regular expression instead:

classUsersController<ActionController::Basedefindex# GOOD: the host of `params[:url]` can not be controlled by an attackerifparams[:url].match?/\Ahttps?:\/\/www\.example\.com\//redirect_toparams[:url]endendend

A related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression/^www\.example\.com|beta\.example\.com/ will match the hostevil.beta.example.com because the regular expression is parsed as/(^www\.example\.com)|(beta\.example\.com)/

In Ruby the anchors^ and$ match the start and end of a line, whereas the anchors\A and\z match the start and end of the entire string. Using line anchors can be dangerous, as this can allow malicious input to be hidden using newlines, leading to vulnerabilities such as HTTP header injection. Unless you specifically need the line-matching behaviour of^ and$, you should use\A and\z instead.

References¶

• OWASP:SSRF

• OWASP:XSS Unvalidated Redirects and Forwards Cheat Sheet.

• Common Weakness Enumeration:CWE-20.